b'    THE CIVIL DIVISION\xe2\x80\x99S \n\nLAPTOP COMPUTER ENCRYPTION \n\n  PROGRAM AND PRACTICES\n\n\n\n      U.S. Department of Justice \n\n    Office of the Inspector General \n\n             Audit Division \n\n\n          Audit Report 09-33 \n\n              July 2009 \n\n\x0c                               TABLE OF CONTENTS\n                                                                                    Page\n\nTHE CIVIL DIVISION\xe2\x80\x99S LAPTOP COMPUTER ENCRYPTION \n\nPROGRAM AND PRACTICES...................................................                1\n\n\n     Introduction ...................................................................   1      \n\n     OIG Audit Approach .......................................................         2\n\n     OIG Results in Brief ........................................................      3\n\n     Background ....................................................................    4      \n\n     Finding and Recommendations                    \n\n     Civil Division\xe2\x80\x99s Efforts to Ensure Safeguards Over\n\n\n     DOJ Data on Laptop Computers Need Improvement ..............                       13 \n\n     Conclusion......................................................................   20 \n\n     Recommendations ..........................................................         20         \n\n\nSTATEMENT ON INTERNAL CONTROLS..................................                        22 \n\n\nSTATEMENT ON COMPLIANCE WITH LAWS \n\nAND REGULATIONS ..............................................................          23 \n\n\nAPPENDIX I:           OBJECTIVES, SCOPE, AND METHODOLOGY ..                             24 \n\n\nAPPENDIX II:          ACRONYMS ..................................................       26 \n\n\nAPPENDIX III: DOJ PROCUREMENT GUIDANCE DOCUMENT\n              08-04, SECURITY OF SYSTEMS AND DATA, \n\n              INCLUDING PERSONALLY IDENTIFIABLE\n\n\n              INFORMATION .............................................                 27 \n\n\nAPPENDIX IV:          SAFEGUARDS AGAINST AND RESPONDING \n\n                      TO THE BREACH OF PERSONALLY \n\n                      IDENTIFIABLE INFORMATION .....................                    31 \n\n\nAPPENDIX V:           PROTECTION OF DEPARTMENT SENSITIVE \n\n                      INFORMATION ON LAPTOP AND MOBILE\n\n\n                      COMPUTING DEVICES ..................................              53 \n\n\nAPPENDIX VI:          CIVIL DIVISION MANAGEMENT\xe2\x80\x99S \n\n                      RESPONSE ...................................................      54\n\nAPPENDIX VII: OFFICE OF THE INSPECTOR GENERAL \n\n              ANALYSIS AND SUMMARY OF ACTIONS \n\n              NECESSARY TO CLOSE THE REPORT .............                               59\n\n\n\x0c                        THE CIVIL DIVISION\xe2\x80\x99S \n\n                    LAPTOP COMPUTER ENCRYPTION \n\n                      PROGRAM AND PRACTICES \n\n\n\nIntroduction\n\n      Significant losses of sensitive data and personally identifiable\ninformation (PII) have occurred in both the government and in the private\nsector over the past few years.1 For example, in May 2006 the Department\nof Veterans Affairs (VA) reported that a laptop computer containing personal\ninformation on approximately 26 million veterans and active duty military\npersonnel had been stolen, and an investigation determined that the laptop\nwas not encrypted.2 As a result, in February 2009 a federal judge approved\nthe government\xe2\x80\x99s plans to pay $20 million for out-of-pocket expenses for\ncredit monitoring or physical symptoms of emotional distress to veterans\nexposed to possible identity theft resulting from the laptop loss.\n\n        On October 3, 2008, the Office of the Inspector General (OIG) received\na Department of Justice Computer Emergency Readiness Team (DOJCERT)\nalert indicating that two unencrypted laptop computers were stolen from the\noffices of a consulting firm in Washington, D.C. that was performing\nlitigation support work for the Civil Division.\n\n        The stolen laptops included PII of Civil Division attorneys, the\nconsultant\xe2\x80\x99s employees, plaintiffs, and potentially litigation sensitive\ninformation in support of the government\xe2\x80\x99s defense of sensitive civil\nlitigation.\n\n      As a result of this incident, the OIG initiated this audit to assess the\nadequacy of laptop computer encryption deployment practices in the Civil\nDivision.\n\n\n\n\n       1\n         The term \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d refers to information that can be\nused to distinguish or trace individuals\xe2\x80\x99 identity, such as their name and social security\nnumber.\n       2\n         Encryption is the use of algorithms (i.e., mathematically expressed rules)\nto encode data in order to render it readable only for the intended recipient.\n\n\n                                              1\n\n\x0cOIG Audit Approach\n\n       Our audit objectives were to determine whether the Civil Division\ncomplies with federal and Department of Justice (DOJ) policies regarding:\n(1) the use of whole disk encryption on the laptop computers that Civil\nDivision employees, contractors, subcontractors, and other vendors use to\nprocess DOJ sensitive and classified information; and (2) encryption\ncertification procedures for the laptop computers of contractors,\nsubcontractors, and other vendors providing services to the Civil Division.\n\n     The scope of our audit included two types of laptop computers:\n(1) laptops owned by the Civil Division, and (2) laptops owned by\ncontractors, subcontractors, and other vendors working for the Civil Division.\nThe laptop computers owned by the Civil Division are mostly \xe2\x80\x9cpooled\xe2\x80\x9d\nlaptops that are loaned to Civil Division employees and to contractor and\nsubcontractor employees on an as-needed basis. All Civil Division-owned\nlaptop computers are authorized to process \xe2\x80\x9csensitive but unclassified\xe2\x80\x9d\ninformation.\n\n       During our audit, we interviewed Justice Management Division (JMD),\nCivil Division, and contractor personnel with responsibility for encryption\npolicy development and deployment practices. Additionally, we interviewed\nJMD\xe2\x80\x99s Contracting Officer responsible for finalizing contractual agreements\nbetween service vendors and the Civil Division regarding security\nrequirements for laptop computers. We also reviewed the Civil Division\xe2\x80\x99s\ncontract documents for litigation support services. Within the Civil Division,\nwe interviewed the Contracting Officer\xe2\x80\x99s Technical Representative and the\nCounsel to the Chief Information Officer. We also interviewed key Civil\nDivision personnel responsible for the laptop computer loan process,\nsecurity, incident reporting, and encryption installation.\n\n     In addition, we tested a judgmental sample of 49 of 244 Civil Division-\nowned laptop computers contained in the Civil Division\xe2\x80\x99s official property\nmanagement system, ARGIS. We tested whether these laptops were\nencrypted, were included in the Civil Division\xe2\x80\x99s inventory system, and\nwhether they displayed the required warning banners.\n\n       The Civil Division did not maintain an inventory of laptops owned by\ncontractors, subcontractors, and vendors. Therefore, we performed testing\nto estimate the number of contracted litigation support providers that used\nnon-Civil Division-owned laptop computers. We surveyed 107 (20 percent)\nof 540 vendors and received 83 responses. Thirty-nine of the respondents\nstated that they used their own laptops to process DOJ data on behalf of the\nCivil Division. We surveyed these 39 respondents on whether the laptops\n\n\n                                       2\n\n\x0cwere encrypted and whether they had received the required security\ninstructions for protecting DOJ data. We also requested more information\nsurrounding the Civil Division contractor\xe2\x80\x99s loss of the two unencrypted\nlaptops that occurred in October 2008.\n\nOIG Results in Brief\n\nCivil Division-Owned Laptop Computers\n\n      We found that all 46 Civil Division-owned operational laptop computers\nwe tested were encrypted and compliant with DOJ requirements.3 However,\nwe identified weaknesses in the Civil Division\xe2\x80\x99s laptop inventory,\ndocumentation, and warning banners.\n\n      The Civil Division was unable to produce an accurate inventory of the\nuniverse of laptop computers it owns from ARGIS, the official property\nmanagement system. During our review, we were provided two sets of\nsubstantially different data for the number of laptops the Civil Division\nowned. The Civil Division\xe2\x80\x99s data in the ARGIS database identified 244 Civil\nDivision-owned laptop computers, while a laptop tracking database used by\nthe Civil Division\xe2\x80\x99s Office of Litigation Support (OLS) identified 136 laptop\ncomputers.4 We performed limited testing of both data sources and found\ndiscrepancies between the two systems, although we found more\ndiscrepancies in ARGIS than in the OLS laptop tracking database. For\nexample, two laptop computers listed on the OLS database printout were not\ncontained in the ARGIS database. In addition, at least 57 of the laptop\ncomputers identified within ARGIS were previously excessed.\n\n      The Civil Division maintained four unencrypted, non-operational\nlaptops for operating system re-imaging purposes. We found that these\nlaptops were not appropriately labeled for this purpose. In our judgment,\nthese laptops should be labeled to minimize the risk of having the\nunencrypted laptop computers inadvertently deployed for operational use.\n\n\n\n\n       3\n         Our test sample also included three of the four Civil Division-owned non-\noperational, unencrypted laptops that were used for operating system re-imaging purposes.\n       4\n         As we explain later in the report, Civil Division officials stated that ARGIS, which is\na system developed by the Department\xe2\x80\x99s Justice Management Division, was not reliable.\nTherefore, they developed their own database to track Civil Division laptop computers.\n\n\n\n                                               3\n\n\x0c     Further, 37 of the 49 laptop computers we tested did not employ a\nDOJ-required system warning banner.5 Warning banners are important\nsafeguards because they alert potential system users that they are about to\naccess a federal computer system and that there are ramifications for illegal\nand unauthorized system use.\n\nNon-Civil Division-Owned Laptop Computers\n\n      We found a serious weakness concerning unencrypted laptop\ncomputers used by Civil Division contractors, subcontractors, and vendors.\nThirty-one of 39 (79 percent) of the contractor, subcontractor, and vendors\nresponding to our survey stated that their laptops used for processing DOJ\ndata on behalf of the Civil Division were not encrypted.\n\n      We also found that the Civil Division was not providing security\ninstructions to contractors, subcontractors, and other vendors for protecting\nDOJ data on their laptop computers. Specifically, 48 percent of the survey\nrespondents stated that vendors had not received security instructions for\nprotecting DOJ data.\n\nBackground\n\n        The DOJ\xe2\x80\x99s Civil Division, which has approximately 1,370 employees,\nrepresents the United States, its departments and agencies, members of\nCongress, Cabinet officers and other federal employees in federal litigation.\nIts litigation efforts involve national security issues; benefit programs;\nenergy policies; commercial issues such as contract disputes, banking,\ninsurance, patents, fraud, and debt collection; accident and liability claims;\nand violations of the immigration and consumer protection laws. As a result,\nthe Civil Division handles sensitive data containing PII.\n\n      In its work, the Civil Division also uses contractors, subcontractors,\nand other vendors (such as expert witnesses, specialists, and consultants) to\nassist with its wide range of duties. The two major contract methods used\nby the Civil Division to obtain litigation support services are the Mega 3 and\n\n\n       5\n          DOJ Information Technology Security Standard, Access Control (AC) Version 2.2\n(control AC-08), requires that all DOJ systems display an approved notification message\nbefore granting access to the system. The warning banner is required to be designed to\nremain on the laptop computers\xe2\x80\x99 screen until the user takes explicit actions to log on to the\ninformation system. It warns the potential user of DOJ system access criteria and\nramifications for illegal and unauthorized system use. The warning banner also contains\ninformation to relay privacy and security notices.\n\n\n\n\n                                              4\n\n\x0cthe Offices, Boards, and Divisions (OBD 47) contracts.6 Contracted litigation\nsupport providers help acquire, organize, develop, and present evidence\nthroughout the litigation process. As of November 2008, approximately 540\ncontractors, subcontractors, and other vendors provided litigation support to\nthe Civil Division.\n\n        The Civil Division reported to us that most of its Mega 3 contracted\nlitigation support providers do not use laptop computers. However, when\nlaptop computers are needed by contractors, subcontractors, and other\nvendors, the Civil Division often supplies Civil Division-owned laptop\ncomputers for their use. In some cases, however, due to time constraints\nbrought on by fast-approaching trial dates, contractors and subcontractors\nare allowed to use their own laptops, subject to DOJ\xe2\x80\x99s security requirements,\nincluding encryption standards.\n\nLoss of Two Unencrypted Laptop Computers\n\n      Regarding the two stolen laptop computers from the Civil Division\nconsultant that occurred in October 2008, the Civil Division provided us with\ndetailed information identifying the types of Civil data stored on the stolen\nlaptops. Specifically, the laptops contained personally identifiable\ninformation (PII) such as:\n\n   \xe2\x80\xa2\t\t For Civil Division attorneys - names, cell and home phone numbers,\n       and e-mail addresses.\n\n   \xe2\x80\xa2\t\t For the consultant\xe2\x80\x99s employees \xe2\x80\x93 names, home addresses, cell phone\n       numbers, e-mail addresses, and possibly social security numbers.\n\n   \xe2\x80\xa2\t\t For plaintiffs in Civil Division litigation \xe2\x80\x93 names and e-mail addresses\n       of personnel to the extent the information may have been on a source\n       document image.\n\n       In addition to the PII, the Civil Division ascertained that both laptops\ncontained the consultant\xe2\x80\x99s work product and other potentially litigation\nsensitive information (nothing higher than SBU) in support of the\ngovernment\xe2\x80\x99s defense of two cases that are currently before the U.S. Court\nof Federal Claims in Washington, D.C. The laptops also contained a\nsignificant number of source documents from several other Civil Division\ncases.\n\n\n      6\n         The Mega 3 contracts provide automated litigation support services and the\nOBD 47 contracts are used to procure the services of expert witnesses or litigation\nconsultants. See Appendix I, Objectives, Scope, and Methodology for more details.\n\n\n                                            5\n\n\x0c     The consultant had signed the Civil Division\xe2\x80\x99s Rules of Behavior for\nGeneral Users, to obtain access to the Civil Division\xe2\x80\x99s central file sharing\nsystem, Omega, in June and July 2008 \xe2\x80\x93 3 months prior to the incident.7\nThe Rules of Behavior specifically stated:\n\n       \xe2\x80\x9cIn the event data is downloaded from the system, ensure that it\n       is stored upon an OLS [Office of Litigation Support - Civil\n       Division] issued laptop or an appropriately encrypted device\n       pursuant to OMB Memorandum 07-11.\xe2\x80\x9d\n\n      However, the consultant did not comply with the Rules of Behavior\nrequirement to encrypt its laptop computers. Moreover, its employees failed\nto adequately secure the laptop computers at the end of their work day.\nThe consultant explained to the Civil Division that its employees worked until\n4 a.m. the morning of the incident. The employees then went home for a\nfew hours and returned to work around 8 a.m. to find that the laptop\ncomputers had been stolen from the office. According to the police report,\nunknown suspects gained entry into the office by breaking the locked handle\nof the front interior door.\n\n       The Civil Division took several steps after this breach, including\nmeeting with the consultant to discuss actions to ensure adequate controls\nare implemented to protect DOJ information. As a result of the meeting, the\nconsultant started using encryption software on its laptop computers to meet\nthe Civil Division Rules of Behavior requirement that was previously signed\nby its employees. The consultant also discussed additional physical security\nrequirements with its building managers to assist with preventing future\nthefts.\n\n      The Civil Division provided us with a memo dated March 17, 2009, that\ndocumented the Civil Division\xe2\x80\x99s impact assessment activities related to the\ndata loss. This document states that the Civil Division was able to quickly\nconfirm with reasonable accuracy information about the volume, type, and\nsensitivity of data affected by this data loss incident and took steps to assess\nthe impact the loss presented.\n\n      In addition, attorneys were able to provide prompt notice to the Court\nof Federal Claims and counsel for the affected defendants so they could\nassess the impact upon their clients. Further, the attorneys communicated\nwith the consultant and another federal agency to determine whether its\n\n       7\n           Omega is the Civil Division\xe2\x80\x99s file litigation support portal used to share common\nlitigation support documents between users working on the same cases.\n\n\n                                               6\n\n\x0cinformation could have been compromised as a result of this data loss\nincident. The attorneys were able to confirm that no safeguarded\ninformation was affected or compromised by this data loss incident.\n\n      In our judgment, this loss was a serious security breach, and it should\nserve as an impetus for the Civil Division, as well as other DOJ components,\nto ensure that all laptops computers used in support of its work be properly\nencrypted.\n\nLaptop Encryption Policy for DOJ Employees\n\n      DOJ Order 2640.2F establishes laptop encryption policy for DOJ\nemployees. Chapter 2, section 12 states that information on mobile\ncomputers or devices (e.g., notebook computers, personal digital assistants)\nand removable media shall be encrypted using a National Institute of\nStandards and Technology, Federal Information Processing Standards (FIPS)\n140-2 validated or NSA approved encryption mechanisms.\n\nLaptop Encryption Policy for Contractors\n\n       On March 20, 2008, the Department\xe2\x80\x99s Senior Procurement Executive\nissued the DOJ Procurement Guidance Document (PGD) 08-04, Security of\nSystems and Data, Including Personally Identifiable Information. PGD 08-04\nsets forth a security clause addressing Department systems and data,\nincluding provisions governing the use of laptops by contractors, that must\nbe included in all current and future contracts where a contractor handles\ndata that originated within the Department, data that the contractor\nmanages or acquires for the Department, and data that is acquired in order\nto perform the contract and concerns Department programs or personnel.\nIn addition, the contractor must comply with all security requirements\napplicable to Department systems, and the use of contractor-owned laptops\nor other media storage devices to process or store data covered by this\nclause is prohibited until the contractor provides a letter to the contracting\nofficer certifying the following requirements:\n\n   1. Laptops must employ encryption using a FIPS 140-2 approved \n\n      product;\n\n\n\n   2. The contractor must develop and implement a process to ensure that\n      security and other applications software is kept up-to-date;\n\n   3. Mobile computing devices must utilize anti-viral software and a \n\n      host-based firewall mechanism; \n\n\n\n\n                                      7\n\n\x0c   4. The contractor must log all computer-readable data extracts from\n      databases holding sensitive information and verify each extract\n      including sensitive data has been erased within 90 days or its use is\n      still required. All DOJ information is considered sensitive information\n      unless designated as non-sensitive by the Department;\n\n   5. Contractor-owned removable media, such as removable hard drives,\n      flash drives, CDs, and floppy disks, containing DOJ data, must not be\n      removed from DOJ facilities unless encrypted using a FIPS 140-2\n      approved product;\n\n   6. When no longer needed, all removable media and laptop hard drives\n      shall be processed (sanitized, degaussed, or destroyed) in accordance\n      with security requirements applicable to DOJ;\n\n   7. Contracting firms shall keep an accurate inventory of devices used on\n      DOJ contracts;\n\n   8. Rules of behavior must be signed by users. \tThese rules must address\n      at a minimum: authorized and official use; prohibition against\n      unauthorized users; and protection of sensitive data and personally\n      identifiable information; and\n\n   9. All DOJ data will be removed from contractor-owned laptops upon\n      termination of contractor work. This removal must be accomplished in\n      accordance with DOJ IT Security Standard requirements. Certification\n      of data removal will be performed by the contractor\xe2\x80\x99s project manager\n      and a letter confirming certification will be delivered to the CO within\n      15 days of termination of contractor work.\n\n      These requirements also apply to all subcontractors who perform work\nin connection with Department contracts. For each subcontractor, the\ncontractor must certify that it has required the subcontractor to adhere to all\nsuch security requirements. Any breach by a subcontractor of any of the\nprovisions is attributable to the contractor.\n\n      According to PGD 08-04, all current Department contracts need to be\nmodified to include the applicable clause, within 60 days of the date of the\nissuance of the guidance, which was March 20, 2008. Thus, there is a 60-\nday grace period on all current contracts, after which, under the security\nclause, laptops or devices not covered by certification letters may not be\nused on DOJ contracts. A request for a waiver from the requirement to\ninclude these clauses, or any deviations from the language of these clauses\n(except those that are more stringent), must be made in writing to the\n\n\n                                       8\n\n\x0cSenior Procurement Executive. According to the Senior Procurement\nExecutive, permission for a deviation or waiver would only be granted in\nunusual circumstances.\n\nCivil Division\xe2\x80\x99s Request for a Waiver of Implementation of PGD 08-04\n\n       In July 2008, the Civil Division issued a memorandum to the Senior\nProcurement Executive in response to the PGD 08-04 document in which the\nCivil Division requested an exemption from the requirement to incorporate\nthe security clause into the Mega 3 and the OBD 47 contracts.8 A wide\nrange of professionals are hired under the Mega 3 contracts, such as project\nmanagers, law clerks, paralegals, trial consultants, courtroom presentation\nspecialists, technical writers, and programmers. The OBD 47 contracts hire\nexperts and consultants.\n\n     The Civil Division described the following reasons for requesting the\nwaiver on the Mega 3 contracts:\n\n           \xe2\x80\xa2\t\t The contracts are worth hundreds of millions of dollars, and\n               changing the security requirements would require renegotiating\n               the rates for each and every fixed line item affected by the\n               security clause. The Government would be at a great\n               disadvantage if it had to renegotiate these competitively-\n               procured contract rates.\n\n           \xe2\x80\xa2\t\t The Civil Division was not in a position to certify all contractor,\n               subcontractor, and vendor processing systems and shops. It\n               estimated that certification of each shop would take 6 months,\n               and cost about half a million dollars. The Civil Division stated\n               that it did not have the resources or the funds for these\n               certifications.\n\n           \xe2\x80\xa2\t\t The Civil Division believed that work performed under the Mega\n               3 contracts was stringently controlled through existing\n               mechanisms and procedures. For example, the vendor facilities\n               are controlled \xe2\x80\x93 locked at all times, sign-in sheets, escorted\n               access for visitors. All contractor personnel working for Mega 3\n               complete the SF-85P and are cleared to work on Civil Division\n\n\n\n       8\n         As we explain later in this report, the Civil Division\xe2\x80\x99s request was to exempt them\nfrom the security clause requirement for their contracts, and not to exempt its contractors\nand subcontractors laptops from the encryption requirement.\n\n\n\n                                              9\n\n\x0c               contracts, sign non-disclosure agreements and are required to\n               read and abide by standard rules of behavior.9\n\n     The Civil Division also described the following reasons for requesting\nthe waiver for other contract vehicles including the OBD 47 contracts:\n\n            \xe2\x80\xa2\t\t The Civil Division\xe2\x80\x99s Assistant Attorney General would shortly\n                issue guidance to clarify which data is \xe2\x80\x9csensitive,\xe2\x80\x9d and Civil\n                Division attorneys and staff would be given additional training\n                regarding the protection of sensitive data.10\n\n            \xe2\x80\xa2\t\t The Civil Division would implement the agreed-upon security\n                clause on new contracts as they are issued. The Civil Division\n                requested an exemption on the more than 1,500 current active\n                contracts because attempting to retrofit these already existing\n                contracts would require resources it does not have, and lead to\n                its losing many current experts and consultants midway through\n                litigation.\n\n      In August 2008, JMD responded that a blanket exemption would not\nbe possible without further assurance that sensitive data was appropriately\nsafeguarded. With respect to the Mega 3 contracts, JMD asked that the Civil\nDivision provide the following additional documentation:\n\n            1. Data security guidance and instructions that were issued to\n               vendors;\n\n            2. Written acknowledgement from the contractors that they have\n               received and accepted that data security guidance and\n               instructions;\n\n            3. A statement by contractors agreeing to provide the data security\n               guidance and instructions to all applicable employees and\n               subcontractors and to provide adequate security training; and\n\n\n\n\n       9\n          The Standard Form (SF) 85P is the Questionnaire for Public Trust Positions that is\nused by the government to conduct background investigations and reinvestigations to\nestablish that applicants or incumbents either employed by the Government or working for\nthe Government under contract, are suitable for the job and eligible for a public trust or\nsensitive position.\n       10\n          Civil Division officials stated that they were waiting on further guidance from JMD\nregarding possible approaches for protecting sensitive data.\n\n\n                                             10 \n\n\x0c           4. A more detailed description of the steps that were taken and\n              would be taken to ensure that data security measures are\n              implemented and enforced.\n\n      With respect to the other contract vehicles, the Senior Procurement\nExecutive informed the Civil Division that he was willing to consider such an\nexemption for contracts that expire within a reasonably short period of time,\nassuming the Civil Division had a plan in place for implementing the security\nrequirements on new contracts. He also stated that he was concerned about\ncontracts that go on for longer periods. The Senior Procurement Executive\nasked the Civil Division for further information as to the duration of these\ncurrent active contracts, and for the Civil Division to describe its plan for\nmitigating security risks for these contracts, particularly the ones that are\nnot expiring within a reasonably short period of time.\n\n      In December 2008, as requested, the Civil Division provided JMD the\nfollowing documentation to support the steps that the Civil Division had\ntaken and planned to take to ensure that data security measures were\nimplemented and enforced for the Mega 3 contracts:\n\n           1. Excerpts from the Mega 3 contract and the Mega 3 Contract Staff\n              IT Security Guidance which included a revised Rules of Behavior\n              dated October 1, 2008;11\n\n           2. Written acknowledgement from the contractors that they\n              received and accepted the data security guidance and\n              instructions;\n\n           3. Written statements from the contractors that they will provide\n              this guidance to their employees and subcontractors and develop\n              adequate security training; and\n\n           4. More detailed descriptions of the steps the Civil Division has\n              taken to strengthen the Mega 3 information technology security\n              policies and procedures.12\n\n\n      11\n          The October 1, 2008, Rules of Behavior required that contractors encrypt all\nDepartmental data stored on transportable/mobile computers (including laptops) and on\nremovable media (thumb drives, compact disks, floppy disks, etc.) being transported\noutside the Departments physical perimeter.\n      12\n           The Civil Division\xe2\x80\x99s plan to strengthen security procedures for the Mega 3\ncontracts included updating the existing security requirements, ensuring contractors\nacknowledgment of the security requirements, conducting random audits of contractor\nequipment (laptops) and facilities, and developing a training plan.\n\n\n                                            11 \n\n\x0c      The Civil Division did not provide JMD any response or documentation\nfor the other contract vehicles, which would have included the OBD 47\ncontracts.\n\n       In January 2009, after reviewing the documentation provided by the\nCivil Division, the Senior Procurement Executive granted the waiver to\nexempt the security clause from being incorporated into the Mega 3\ncontracts. However, this waiver did not exempt contractor laptops from\nencryption requirements. This waiver was granted on the condition that the\nCivil Division implement clarifying revisions to the information technology\nsecurity guidance for the Mega 3 contracts by the next quarterly update,\nwhich will be May 25, 2009.\n\n      The Senior Procurement Executive did not address any other contract\nvehicles in his January 2009 memo. The waiver only applied to the Mega 3\ncontracts and did not apply to the OBD 47 contracts. We determined during\nour audit that the Mega 3 primary contractors had numerous subcontractors,\nwhich totaled 166 subcontractors and the OBD 47 contract report provided\nby the Civil Division identified 1,483 vendors as providing contracted\nservices to the Civil Division.13\n\nImpact of the Waiver\n\n      Although the Civil Division was granted the waiver for the Mega 3\ncontracts, the revised Rules of Behavior for the Mega 3 contracts still\nrequired that contractors encrypt all Departmental data stored on laptops\nand on removable media being transported outside the Department\xe2\x80\x99s\nphysical perimeter. Therefore, regardless of the waiver, Mega 3 contractors,\nsubcontractors, and vendors are still required to encrypt all laptop\ncomputers processing DOJ data.\n\n\n\n\n      13\n          Although the OBD 47 report identified 1,483 vendors, upon consolidation of\nmultiple awards to a single vendor by name, the total number of OBD 47 contracts was\nassessed to be approximately 374. See Appendix 1, Objectives, Scope, and Methodology\nfor more details.\n\n\n\n                                          12 \n\n\x0c              FINDING AND RECOMMENDATIONS\n\n       Civil Division\xe2\x80\x99s Efforts to Ensure Safeguards Over DOJ Data on\n       Laptop Computers Need Improvement\n\n       The Civil Division has complied with DOJ requirements by\n       ensuring that its own laptop computers are encrypted to protect\n       DOJ data. However, our audit identified areas where the Civil\n       Division needs to improve its security procedures to include:\n       (1) ensuring that its laptop inventory is maintained accurately in\n       ARGIS; (2) ensuring that documentation is maintained to verify\n       the successful installation of encryption software for all of its\n       laptop computers; and (3) ensuring that warning banners are\n       displayed on laptop computers to alert potential system users\n       that they are about to access a federal computer system.\n\n       In addition, the Civil Division\xe2\x80\x99s efforts to ensure contractor\n       safeguards over DOJ data need significant improvement. We\n       found that: (1) an inventory of non-Civil Division laptop\n       computers was not maintained; (2) a large percentage of\n       contractor laptops used to process DOJ data were not encrypted;\n       and (3) contractors had not received notification of DOJ laptop\n       encryption requirements.\n\nLaptop Computers Owned by the Civil Division\n\nLaptop Inventory\n\n      Office of Management and Budget (OMB) Circular A-130 requires that\na complete inventory of information resources, including personnel,\nequipment, and funds devoted to information resources management and\ninformation technology, is maintained to an appropriate level of detail.\n\n      To perform our encryption testing, it was first necessary to establish\nan accurate universe of Civil Division-owned laptop computers. The majority\nof laptop computers owned by the Civil Division are part of its lending\nprogram.14 The lending program serves the laptop computer needs of Civil\nDivision employees as well as contractors, subcontractors, and other\nvendors performing work on behalf of the Civil Division. Attorneys,\n\n       14\n          The Civil Division also had 12 laptop computers that were not used as part of its\nlending pool and 4 used solely for re-imaging purposes. All Civil Division laptops were\nconsidered in the universe sample group and subjected to selection as part of the OIG\xe2\x80\x99s\nencryption testing.\n\n\n                                             13 \n\n\x0cparalegals, contractors, and sub-contractors may reserve Civil Division\nlaptops for use. The laptops are retrieved from a lending pool and are\nassigned to the requestor. Couriers pick up the laptops and deliver the\nlaptops to the requestor. The laptops are usually reserved for short periods\nof time and returned by courier or in person.\n\n       The Civil Division was unable to produce an accurate inventory of the\nuniverse of laptop computers it owns from ARGIS, the official property\nmanagement system. During our review, we were provided two sets of\nsubstantially different data for the number of laptops the Civil Division\nowned. The Civil Division\xe2\x80\x99s data in the ARGIS database identified 244 Civil\nDivision-owned laptop computers, while a laptop tracking database used by\nthe Civil Division\xe2\x80\x99s Office of Litigation Support (OLS) identified 136 laptop\ncomputers. Civil Division officials stated that ARGIS, which is a system\ndeveloped by the Department\xe2\x80\x99s Justice Management Division, was not\nreliable and that they therefore developed their own database to track Civil\nDivision laptop computers.\n\n      We performed limited testing of both data sources and found\ndiscrepancies between the two systems. Consistent with the statement\nmade above by Civil Division officials, we found more discrepancies in ARGIS\nthan in the OLS laptop tracking database. For example, two laptop\ncomputers listed on the OLS database printout were not contained in the\nARGIS database. In addition, at least 57 of the laptop computers identified\nwithin ARGIS had been previously excessed. In our judgment, the Civil\nDivision needs to reconcile the differences between the two data sources and\nensure that the laptop inventory data in ARGIS is accurate and reliable.\n\n       We asked Civil Division officials about the discrepancy between the two\nsources of data and were told that the inaccuracies in ARGIS stem from the\nfact that the database is maintained by JMD and the Civil Division does not\nhave privileges to update the data within ARGIS. We followed up with JMD\nand were told that JMD\xe2\x80\x99s Property Management Services decentralized in\n2007 and granted Accountable Property Officers throughout the Offices,\nBoards, and Division\xe2\x80\x99s the ability to insert, update, and make final\ndisposition changes (deletion status) to asset records. The term \xe2\x80\x9cdeletion\nstatus\xe2\x80\x9d does not mean that assets are deleted from the database but are\ninstead placed into a non-active status. We shared this information with\nCivil Division officials and they stated that they were unaware that they had\nthe capabilities to perform these functions within ARGIS. As a result, the\nCivil Division stated that it will reconcile information in ARGIS with their\nseparate laptop tracking database. In addition, in our follow-up discussions\nwith JMD, we were told that JMD plans to retire the official property\nmanagement system, ARGIS, in December 2009 and will deploy a new\n\n\n                                      14 \n\n\x0cinventory system in the future. If this occurs, we recommend that the Civil\nDivision ensure that the laptop inventory data in the replacement system is\naccurate and reliable.\n\nEncryption Test Results\n\n       DOJ Order 2640.2F establishes the laptop encryption requirements for\nDOJ employees. Chapter 2, section 12 of this order states that information\non mobile computers or devices (such as notebook computers, personal\ndigital assistants) and removable media shall be encrypted using FIPS 140-2\nvalidated or NSA approved encryption mechanisms.\n\n       To test whether laptop computers were properly encrypted, we\nselected 49 of 244 laptops contained in the ARGIS database. For each\ncomputer selected we verified that encryption software was installed and the\ndate the installation was completed. We verified this by having a Civil\nDivision staff member turn on each laptop and we visually inspected the\nPointsec logon screen. Additionally, we accessed the Pointsec software and\nverified the installation date in the log management console. We found that\nall 46 Civil Division-owned operational laptop computers we tested were\nencrypted and complied with DOJ requirements. Our test sample also\nincluded three non-operational, unencrypted laptops that were used for\noperating system re-imaging purposes.\n\nOther Areas of Concern\n\n      Although encryption was the primary focus of this audit, we identified\nother weaknesses in the areas of documentation and warning banners.\n\n      Documentation\n\n      DOJ Order 2640.2F, Audit and Accountability, requires that information\nsystem audit records be maintained to the extent needed to enable security\nmonitoring, analysis, investigation, and reporting of unlawful, unauthorized,\nor inappropriate information technology system activities.\n\n      We found that documentation was not maintained by the Civil Division\nto verify the successful installation of encryption software for its laptop\ncomputers. In the Civil Division, encryption software is installed on laptops\nby a technician in the Civil Division\xe2\x80\x99s Office of Litigation Support. Once the\nencryption installation is completed, the laptop computer is submitted to the\ntechnician\xe2\x80\x99s supervisor for review and approval to be deployed.\n\n\n\n\n                                      15 \n\n\x0c      Although the Civil Division stated that it does not allow any\nnon-encrypted laptop computers to be deployed, documentation was not\nmaintained to evidence when or if the encryption software was installed. In\nthe event that the laptop computer is lost, the Civil Division would not be\nable to provide sufficient evidence that the encryption software was\nappropriately installed.\n\n       We also have a concern about the four laptop computers used by Civil\nDivision\xe2\x80\x99s OLS to re-image other laptop computer\xe2\x80\x99s encryption software. The\nCivil Division told us that encryption software could not be installed or it\nwould impede the re-imaging process and that these laptop computers are\nnever deployed for regular use. However, the only indicator the Civil\nDivision used to distinguish its re-imaging laptop computers from the loaner\nlaptop computers was the lack of a KIT number on the OLS laptop tracking\ndatabase printout.15 No warning labels were attached to the re-imaging\nlaptop computers to indicate their special use or differentiate it from other\nCivil Division laptops available for storing sensitive and PII data. In our\njudgment, these computers should be clearly labeled that they are not\nencrypted and should indicate that they not be used for purposes other than\nre-imaging. Without such clear notice, the Civil Division runs the risk of\nhaving the laptop computers inadvertently deployed for operational use.\n\n       Warning Banners\n\n       DOJ Information Technology Security Standard, Access Control (AC)\nFamily Version 2.2 (control AC-08), requires that all DOJ systems display an\napproved notification message before a user accesses the computer system.\nThe warning banner is required to remain on the laptop computer\xe2\x80\x99s screen\nuntil the user takes explicit actions to log on to the information system.\nWarning banners alert potential system users that they are about to access\na federal computer system and that there are ramifications for illegal and\nunauthorized system use.\n\n       We found that 37 of the 49 (76 percent) Civil Division laptop\ncomputers we tested did not employ a DOJ system warning banner.16\nFurther examination of the Civil Division\xe2\x80\x99s laptop computers revealed that\nthis security violation occurred because the laptop computers used to re-\nimage other laptop computers did not contain the required warning banner.\n\n\n       15\n          A KIT number is the unique identifier used by the Civil Division to track laptop\ninventory in the OLS database.\n       16\n           This non-statistical sample design does not allow projection of the test results to\nall laptops. See Appendix 1 for more details.\n\n\n                                              16 \n\n\x0cWe discussed this issue with Civil Division officials and were told that this\nwas an oversight.\n\n       As a result of the issues we identified pertaining to Civil Division\nlaptops, the Civil Division has updated its security procedures. Civil Division\nofficials provided us with a laptop administrator guide and a screen printout\nfrom their laptop tracking database and stated that the Civil Division will\nverify that the encryption installation date and warning banners are\nemployed on its laptops prior to deployment.\n\nLaptop Computers Owned by Contractors and Subcontractors\n\nLaptop Inventory\n\n      We asked the Civil Division for an inventory of non-Civil Division laptop\ncomputers used by its contractors, subcontractors, and other vendors\nperforming litigation support on Civil Division contracts and we were told\nthat the Civil Division does not maintain such an inventory. During this\naudit, a Civil Division official told us that it will begin to maintain an\ninventory for its contractor, subcontractor, and vendor laptops.\n\n      The DOJ Procurement Guidance Document (PGD) 08-04 security\nclause also requires that contracting firms must keep an accurate inventory\nof devices used by contractors, subcontractors, and other vendors on DOJ\ncontracts. Furthermore, the contractor must certify, in writing with the\ncontracting officer, that it has met this requirement.\n\n      Because the Civil Division did not maintain laptop inventory\ninformation on its contractors and subcontractors, we conducted a survey to\nestimate the number of contracted litigation support providers that used\nnon-Civil Division-owned laptop computers on Civil Division tasks.\n\n      We surveyed 107 (20 percent) of the 540 Civil Division\xe2\x80\x99s contractors,\nsubcontractors, and other vendors located throughout the United States and\nabroad. We received 83 responses to our survey. We found that 39 (47\npercent) of the 83 vendor responses indicated they used non-Civil Division\nlaptop computers to process Civil Division data. The remaining 44 responses\nfrom the contractors indicated that they did not use a laptop computer for\ntheir Civil Division work.\n\n      In our view, the lack of an inventory of contractor and subcontractor-\nowned laptops is a serious deficiency. Without an inventory, the Civil\nDivision is at risk of not being able to account for non-Civil Division laptop\n\n\n\n                                       17 \n\n\x0ccomputers that are authorized to process DOJ data and cannot ensure that\nappropriate safeguards are in place.\n\nEncryption Test Results for Contractors\n\n       PGD 08-04 requires that laptops owned by contractors and\nsubcontractors must be encrypted. We found serious deficiencies with the\nlevel of encryption employed on laptop computers owned by contractor,\nsubcontractor, and other vendor employees working on Civil Division\nbusiness. Of the vendors responding that they used their own laptop\ncomputers for Civil Division work, 31 of the 39 (79 percent) stated that their\nlaptops were not encrypted, while the remaining 8 (21 percent) responded\nthat their laptops were installed with FIPS 140-2 approved encryption\nsoftware.\n\n      The 31 vendors using non-encrypted laptops were on both the Mega 3\nand OBD 47 contracts. Specifically, there were 4 Mega 3 and 27 OBD 47\ncontractors using their own laptops without encryption installed.17 Although\nthe Civil Division was granted a waiver for the Mega 3 contracts, the Civil\nDivision Rules of Behavior for Mega 3 requires that contractors process DOJ\ndata on encrypted laptops. Moreover, the OBD 47 contractors did not\nreceive a waiver from the requirement to incorporate the security clause into\nthe OBD 47 contracts that requires laptop encryption. Therefore, these 31\nvendors for both Mega 3 and OBD 47 contracts should have been using\nencryption software on their laptops.\n\nSecurity Awareness\n\n       DOJ Order 2640.2F, Awareness and Training, requires that managers\nand users of DOJ information are aware of the security risks associated with\ntheir activities and of the applicable laws related to the security of DOJ data.\n\n      We found that the Civil Division had distributed notifications of laptop\nencryption requirements to some of its litigation support service providers.\nHowever, many contractors, subcontractors, and vendors had not received\nsuch notifications. In our survey, 40 of the 83 responses (48 percent) from\nvendors indicated that they had not received security instructions for\nprotecting DOJ data. Of the 40 vendors that had not received security\n\n       17\n          During the audit, we provided the Civil Division with the names of the 4 Mega 3\nsubcontractors that had unencrypted laptops. The Civil Division followed up with these 4\nsubcontractors and provided us with additional information indicating that mitigating steps\nare being taken by the subcontractors to safeguard DOJ data. In addition, the Civil Division\nhas drafted further IT security training guidance for all Mega 3 contractors and\nsubcontractors.\n\n\n                                            18 \n\n\x0cinstructions, 6 were from the Mega 3 and 34 were from the OBD 47\ncontracts.\n\n     The Civil Division\xe2\x80\x99s Director of Litigation Support stated that the Mega 3\ncontractors, subcontractors, and vendors are made aware of the importance\nof laptop encryption and security requirements, through weekly meetings\nthat are held with the vendors that are required to manage and oversee\ntheir own staff in regards to encryption. Also, IT security guidelines are\nposted on the Civil Division\xe2\x80\x99s internal website, which contractors can access,\nafter agreeing with the requirements of the Civil Division\xe2\x80\x99s Rules of Behavior.\n\n     However, according to a Civil Division Official for the OBD 47 contracts,\nthese contractors are not specifically notified of the importance of laptop\nencryption and security. The official also stated that there is nothing in the\ncontracts pertaining to encryption and security, but the Civil Division plan to\nimplement such procedures in the future. In our judgment, the OBD 47\ncontracts should have a Rules of Behavior requirement similar to the Mega 3\ncontracts already in-place.\n\n     Civil Division officials stressed that the Mega 3 and the OBD 47\ncontracts are for two separate groups of contractors providing support.\nDuring our review, we noted that there were more security controls in place\nfor the Mega 3 versus the OBD 47 contractors. Civil Division officials\nexpressed how challenging it was to obtain valuable OBD 47 contractors and\nthat the success of a case often depends on the testimony by experts and\nconsultants obtained through this contract. While Civil Division officials\nrecognize that enhanced security measures are needed for this group, they\nexpressed concern with imposing more security requirements on the OBD 47\ncontracts. Civil Division officials stated that the OBD 47 contractors may be\nunwilling to testify if strict security requirements are forced upon them, and\nthis could jeopardize Civil Division cases.\n\n      While we understand the necessity of obtaining experts and consultants\nfor trials, we do not fully agree that requiring encryption would unduly\nburden all OBD 47 contractors, since several of these contractors stated\nduring our survey that encryption was installed on their laptop computers.\nFailure to ensure that security awareness requirements are relayed to\nvendors places DOJ data at greater risk to unauthorized disclosure. In our\njudgment, it is critical that all litigation support providers be made aware of\nthe security requirements for handling sensitive DOJ data and that Civil\nDivision periodically check that such requirements are, in fact, implemented.\n\n\n\n\n                                      19 \n\n\x0cConclusion\n\n      We found that all 46 Civil Division-owned operational laptop computers\nwe tested were encrypted to protect sensitive DOJ data, in accordance with\nDOJ requirements. However, our review identified weaknesses in the areas\nof inventory, documentation, and warning banners that the Civil Division\nneeds to address. Specifically, the Civil Division should ensure that it\nmaintains an accurate laptop inventory in its property management system,\nARGIS. In addition, unencrypted, non-operational laptops should be marked\nas such to prevent their use for operational purposes. Further, warning\nbanners should be displayed on all of the Division\xe2\x80\x99s laptop computers to alert\npotential system users that they are about to access a federal computer\nsystem.\n\n       With respect to non-Civil Division-owned laptop computers, we\nidentified significant weaknesses that need to be addressed. We found that\nan inventory of non-Civil Division laptop computers was not maintained.\nAlso, according to surveyed participants, 79 percent of contractor laptops\nused to process DOJ data were not encrypted. Moreover, almost one-half of\nsurveyed respondents had not received notification of DOJ laptop encryption\nrequirements.\n\n      Given the sensitivity of the litigation work performed by the Civil\nDivision in such areas as national security, banking, and insurance, we\nbelieve that Civil Division contractors, subcontractors, and vendors should\nencrypt their laptop computers or exclusively use the Civil Division\xe2\x80\x99s laptop\ncomputer lending pool. As a result of the issues identified in this report, we\nmake seven recommendations to the Civil Division to enhance its safeguards\nover DOJ data on laptop computers. The officials concurred with all seven\nrecommendations.\n\nRecommendations\n\n      We recommend that the Civil Division:\n\n      1. Implement procedures for ensuring that the official inventory\n         database, ARGIS, or any replacement system, maintains accurate\n         and reliable information for all Civil Division laptop computers.\n\n      2. Ensure the laptop administrator\xe2\x80\x99s guide is used to document the\n         successful installation of encryption software on Civil Division\n         laptop computers.\n\n\n\n\n                                     20 \n\n\x0c3. Label re-imaging computers to indicate that they are not encrypted\n   and not for operational use.\n\n4. Ensure the laptop administrator\xe2\x80\x99s guide is used to verify that\n   system warning banners are installed on all Civil Division laptop\n   computers as required by DOJ policy.\n\n5. Develop and maintain an inventory of authorized or approved non-\n   Civil Division owned laptop computers for contractors,\n   subcontractors, and other entities providing contract support\n   services for the Civil Division.\n\n6. Ensure that all non-Civil Division laptop computers used to process\n   DOJ data are encrypted or require contractors to use encrypted\n   Civil Division provided hardware.\n\n7. Ensure that all contract support providers are aware of security\n   information procedures for handling DOJ data in accordance with\n   DOJ policy.\n\n\n\n\n                               21 \n\n\x0c                  STATEMENT ON INTERNAL CONTROLS\n\n      As required by the Government Auditing Standards, we tested as\nappropriate, internal controls significant within the context of our audit\nobjectives. A deficiency in an internal control exists when the design or\noperation of a control does not allow management or employees, in the\nnormal course of performing their assigned functions, to timely prevent or\ndetect: (1) impairments to the effectiveness and efficiency of operations,\n(2) misstatements in financial or performance information, or (3) violations\nof laws and regulations. Our evaluation of the Civil Division\xe2\x80\x99s internal\ncontrols was not made for the purpose of providing assurance on its internal\ncontrol structure as a whole. The Civil Division\xe2\x80\x99s management is responsible\nfor the establishment and maintenance of internal controls.\n\n      As noted in the Finding section of this report, we identified deficiencies\nin the Civil Division\xe2\x80\x99s internal controls that are significant within the context\nof the audit objectives and based upon the audit work performed that we\nbelieve adversely affect the Civil Division\xe2\x80\x99s ability to ensure that DOJ data is\nappropriately protected from unauthorized access, use, disclosure,\ndisruption, modification, or destruction.\n\n      Because we are not expressing an opinion on the Civil Division\xe2\x80\x99s\ninternal control structure as a whole, this statement is intended solely for\nthe information and use of the Civil Division and the Department of Justice.\nThis restriction is not intended to limit the distribution of this report, which is\na matter of public record.\n\n\n\n\n                                        22 \n\n\x0c                      STATEMENT ON COMPLIANCE \n\n                     WITH LAWS AND REGULATIONS \n\n\n       As required by the Government Auditing Standards we tested, as\nappropriate given our audit scope and objectives, selected transactions,\nrecords, procedures, and practices, to obtain reasonable assurance that the\nCivil Division\xe2\x80\x99s management complied with federal laws and regulations, for\nwhich non-compliance, in our judgment, could have a material effect on the\nresults of our audit. The Civil Division\xe2\x80\x99s management is responsible for\nensuring compliance with federal laws and regulations applicable to the\ninformation security controls. In planning our audit, we identified the\nfollowing laws and regulations that concerned the operations of the Civil\nDivision and that were significant within the context of the audit objectives:\n\n    \xe2\x80\xa2\t\t Senior Procurement Executive Procurement \n\n        Guidance Document (PGD) 08-04, \n\n    \xe2\x80\xa2\t\t OMB M-07-16,\n    \xe2\x80\xa2\t\t Protection of Department Sensitive Information on Laptop and Mobile\n        Computing Devices,\n    \xe2\x80\xa2\t\t OMB Circular A-130,\n    \xe2\x80\xa2\t\t DOJ Order 2640.2F, and\n    \xe2\x80\xa2\t\t DOJ IT Security Standards.\n\n      Our audit included examining, on a test basis, the Civil Division\xe2\x80\x99s\ncompliance with the aforementioned laws and regulations that could have a\nmaterial effect on the Civil Division\xe2\x80\x99s operations. We interviewed key\npersonnel within the Civil Division, as well as performed a physical review on\nselected Civil Division-owned laptop computers. Additionally, we contacted a\nselect group of vendors contracted to provide litigation support services to\nthe Civil Division.\n\n       As noted in the Finding section of this report, we found that tested\nCivil Division-owned laptop computers were encrypted as required by DOJ\npolicy. However, improvements are needed with the Civil Division\xe2\x80\x99s laptop\ncomputers program and practices in the areas of laptop inventory and\nwarning banners. Significant improvements are required on the use of\nnon-Civil Division laptop computers by litigation support providers.\n\n\n\n\n                                      23 \n\n\x0c                                                                APPENDIX I \n\n\n\n               OBJECTIVES, SCOPE, AND METHODOLOGY\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n       This audit was performed to assess the Civil Division\xe2\x80\x99s laptop computer\nencryption program and practices. Specifically, our audit objectives were to\ndetermine whether the Civil Division complies with federal and DOJ policies\nregarding: (1) the use of whole disk encryption on employees\xe2\x80\x99, contractors\xe2\x80\x99,\nsubcontractors\xe2\x80\x99, and other vendors\xe2\x80\x99 laptop computers used to process DOJ\nsensitive and classified information; and (2) laptop computers\xe2\x80\x99 encryption\ncertification procedures for contractors, subcontractors, and other vendors\nproviding services to the Civil Division.\n\n       Our audit covered a 2-month period from November 12, 2008, through\nJanuary 16, 2009. We performed field work on-site at the Civil Division\xe2\x80\x99s\noffices in Washington, D.C. During the audit period, key JMD, Civil Division,\nand contractor personnel with responsibilities related to encryption policy\ndevelopment and deployment practices were interviewed. We interviewed\nJMD\xe2\x80\x99s Contracting Officer responsible for finalizing contractual agreements\nbetween service vendors and the Civil Division and asked specific questions\nregarding security requirements for laptop computers. We also reviewed the\nCivil Division\xe2\x80\x99s contract documents for litigation support services.\n\n       Within the Civil Division, we interviewed the Contracting Officer\xe2\x80\x99s\nTechnical Representative, and Counsel to the Chief Information Officer, as\nwell as, key personnel responsible for tracking the loan process of laptop\ncomputers, laptop security, incident reporting, and laptop encryption\ninstallation.\n\n      Our testing of Civil Division laptop computers was conducted by\njudgmentally selecting a sample of 49 of 244 of the Civil Division\xe2\x80\x99s laptop\ncomputers identified within the official ARGIS database to be tested as part\nof the physical encryption verification process. This non-statistical sample\ndesign does not allow projection of the test results to all laptops.\n\n      Because the Civil Division did not maintain laptop inventory\ninformation on its contractors and subcontractors, we performed testing to\nestimate the number of contracted litigation support providers that used\n\n\n                                     24 \n\n\x0cnon-Civil Division-owned laptop computers. To accomplish this we\nperformed a survey of contractors, subcontractors, and other vendors from\nthe two major contract methods used by the Civil Division to obtain litigation\nsupport services \xe2\x80\x93 Mega 3 and Office, Boards, and Division (OBD) contracts.\n\n      The Mega 3 contracts were awarded to three primary contractors:\nCACI International Inc., Labat-Anderson Incorporated, and Lockheed Martin.\nAs of November 2008, each primary contractor had numerous\nsubcontractors, which totaled 166 subcontractors. The Civil Division\nprovided the OIG with documents to evidence that the three primary\ncontractors for the Mega 3 contracts did not use non-Civil Division-owned\nlaptop computers to process Civil Division data. Therefore, the primary\ncontractors were not included in our survey.\n\n       As of November 2008, the OBD 47 contract report provided by the\nCivil Division identified 1,483 vendors as providing contracted services to the\nCivil Division. Upon consolidation of multiple awards to a single vendor by\nname, the total number of OBD contracts was assessed to be approximately\n374.\n\n      Therefore, as of November 2008, our universe of the Civil Division\xe2\x80\x99s\ncontractors, subcontractors, and other vendors totaled 540 (166 + 374).\nWe surveyed 107 (20 percent) of the 540 vendors and received 83\nresponses. The responses are detailed in the Findings and\nRecommendations section of this report.\n\n\n\n\n                                      25 \n\n\x0c                                                  APPENDIX II \n\n\n\n\n                         ACRONYMS\n\nDOJ       Department of Justice\nDOJCERT   Department of Justice Computer Emergency Readiness Team\nJMD       Justice Management Division\nOBD       Office, Boards, and Division\nOIG       Office of the Inspector General\nOLS       Office of Litigation Support\nOMB       Office of Management and Budget\nPII       Personally Identifiable Information\n\n\n\n\n                              26 \n\n\x0c                                                                                            APPE\n                                                                                               ENDIX II\n                                                                                                      II \n\n\n\n\n                                                               u. s. DeparhnentofJustice\n\n\n\n  MAR 20      m                                                WDShillglO", D.C. 20530\n\n\n\n\nMEMORANDUM FOR BUREAU PROCUREM ENT CHIEFS\n\nFROM :           Michael H. Allen       f~d ~\n                 Senior Procurement Executive\n\nSUBJECT:         001 Procurement Guidance Document 08-04, Security of Systems\n                 and Data Including Personally Identifiable Information\n\nMy memorandum of January 18, 2008, notified you of recent instances of contractor loss of\nequipment containing sensiti ve data relat ing to Department programs or personnel. Section A\nof this guidance document sets forth a required security clause addressing Department systems\nand data, including provisions governing the use of laptops by contractors, to be included in all\ncurrent and future contracts where a contractor handles data that originated within the\nDepartment, data that the contractor manages or acq uires for the Department, and/or data that\nis acq uired in order to perfonn the COntract and concerns Department programs or personnel.\nPlease note that in Section A, paragraphs a, b, and d apply to all data, even data that may not\nbe personall y identifiable infonnation (P I1)\'. Section B of thi s guidance document sets forth\na required clause that must be used in contracts invo lving personally identifiabJe infornlation\nobtained by the Department from a contractor, such as an infonnation reseller or data broker.\nThis guidance document supersedes Procurement Gu idance Document 06~ 1O.\n\n   A.    Sec urity of Systems and Data, Includin g Personally Identifiable Information.\n\n   The fo Howing clause must be used in any contract where the contractor handles data that\n   originated within the Department, data that the contractor manages or acquires for the\n   Department, and/or data that is acquired in order to perfonn the contract and concerns\n   Department programs or personnel.\n\n\n\n\n   I The term "personally identifiable informa tion," as defined by OMB, means any information about an\n   individual maintained by an agency, including, but not limited to, education, financial transactions, medical\n   history, and criminal or employment history and information which can be used to distinguish or trace an\n   individual\'s identity, such as their name, social security number, date and place of birth, mother\'s maiden\n   name, biometric records, etc., including allY other personal information which is linked or linkable to an\n   individual.\n\n\n\n\n                                                       27 \n\n\x0cSecurity of Systems and Data. Including Personally Identifiable Data.\n\na.     Systems Security\n\nThe work to be perfonned under this contract requires the handling of data that originated\nwithin the Department, data that the contractor manages or acquires for the Department,\nandlor data that is acquired in order to perfonn the contract and concerns Department\nprograms or personnel.\n\nFor all systems handling such data, the contractor shall comply with all security\nrequirements applicable to Department of lustice systems, including but not limited to\nall Executive Branch system security requirements (e.g., requirements imposed by OMB\nand NIST), DOl IT Security Standards, and DOl Order 2640.2E. The contractor shall\nprovide DOl access to and infonnation regarding the contractor\'s systems when\nrequested by the Department in connection with its efforts to ensure compliance with\nall such security rcquircments, and shall otherwise cooperate with the Department in\nsuch efforts. DOl access shall include independent validation testing of controls,\nsystem penetration testing by DOl, FISMA data reviews, and access by the DOl\nOffice of the Inspector General for its reviews.\n\nThe use of contractor-owned laptops or other media storage devices to process or store\ndata covered by this clause is prohibited until the contractor provides a letter to the\ncontracting officer (CO) certifying the following requirements:\n\n1. Laptops must employ encryption using a NIST Federal Infonnation Processing\n   Standard (FIPS) 140-2 approved product;\n2. The contractor must develop and implement a process to ensure that security and\n   othcr applications software is kept up-to-date;\n3. Mobile computing devices will utilize anti-viral software and a host-based firewall\n   mechanism;\n4. The contractor shall log all computer-readable data extracts from databases holding\n   sensitive infonnation and verify each extract including sensitive data has been erased\n   within 90 days or its use is still required. All DOl infonnation is sensitive\n   information unless designated as non-sensitive by the Department;\n5. Contractor-owned removable media, such as removable hard drives, flash drives,\n   CDs, and floppy disks, containing DOl data, shall not be removed from DO] facilities\n   unless encrypted using a NIST FIPS 140-2 approved product;\n6. When no longer needed, all removable media and laptop hard drives shall be\n   processed (sanitized, degaussed, or destroyed) in accordance with security\n   requirements applicable to DO];\n7. Contracting firms shall keep an accurate inventory of devices used on DO] contracts;\n8. Rules of behavior must be signed by users. These rules shall address at a minimum:\n   authorized and official use; prohibition against unauthorized users; and protection of\n   sensitive data and personally identifiable information;\n\n\n\n\n                                              28 \n\n\x0c9. All DO] data will be removed from contractor-owned laptops upon termination of\n   contractor work. This removal must be accomplished in accordance with DO] IT\n   Sccurity Standard requirements. Certification of data removal will be performed by\n   the contractor\'s project manager and a letter confirming certification will be delivered\n   to the CO within 15 days of termination of contractor work;\n\nb. Data Security\n\nBy acceptance of, or performance on, this contract, the contractor agrees that with\nrespect to the data identified in paragraph a, in the event of any actual or suspected\nbreach of such data (i.e., loss of control, compromise, unauthorized disclosure, access\nfor an unauthorized purpose, or othcr unauthorized access, whether physical or\nelectronic), the contractor will immcdiately (and in no event later than within one hour\nof discovery) report the breach to the DO] CO and the contracting officer\'s technical\nrepresentative (COTR).\n\nIf the data breach occurs outside of regular business hours and/or neither the CO nor the\nCOTR can be reached, the contractor shall call the DO] Computer Emergency Readiness\nTeam (DOJCERT) at 1-866-US4-CERT (1-866-874-2378) within one hour of discovery\nof the breach. The contractor shall also notify the CO as soon as possible during regular\nbusiness hours.\n\nc.   Personally Identifiable Infonnation Notification Requirement\n\nThe contractor further certifies that it has a security policy in place that contains\nprocedures to promptly notify any individual whose personally identifiable information\n(as defined by OMB) was, or is reasonably believed to have been, breached. Any\nnotification shall be coordinated with the Department, and shall not proceed until the\nDepartment has made a determination that notification would not impede a law\nenforcement investigation or jeopardize national security. The method and content of\nany notification by the contractor shall be coordinated with, and be subject to the\napproval of, the Department. The contractor assumes full responsibility for taking\ncorrective action consistent with the Department\'s Data Breach Notification Procedures,\nwhich may include offering credit monitoring when appropriate.\n\nd.   Pass-through of Security Requirements to Subcontractors\n\nThe requirements set forth in Paragraphs a through c above, apply to all subcontractors\nwho perform work in connection with this contract. For each subcontractor, the\ncontractor must certify that it has required the subcontractor to adhere to all such\nrequirements. Any breach by a subcontractor of any of the provisions set forth in this\nclause will be attributed to the contractor.\n\n\n\n\n                                              29 \n\n\x0c       B.      Information RescUers or Data Brokers\n\n    For contracts where the Department obtains Pll fro m a contractor (such as an information\n    reseller or data broker) but the contractor does not handle the data described in Section A\n    of this guidance document, the following clause must be used:\n\n        lnform ation Resellers or Data Brokers\n\n       Under this contract, the Department obtains personally identifiable information about\n       individuals from the contractor. ihe contractor hereby certifies that it has a security\n       policy in place which contains procedures to promptly noti fy any indi vidual whose\n       personally identifiabl e information (as defined by OMB) was, or is reasonably believed to\n       have been, lost or acquired by an unauthorized person while the data is under the control\n       of the contractor. In any case in which the data that was lost or improperly acquired\n       refl ects or consists of data that originated with the Department, or reflects sensitive law\n       enforcement or national security interest in the data, the contractor shall notify the\n       Department contracting officer so that the Department may determine whether\n       notification would impede a law enforcement investigation or jeopardize national\n       security. In such cases, the contractor shall not notify the individuals until it receives\n       further instruction from the Department.\n\nIn my memorandum dated January 18,2008, I encouraged you to identi fy all current and\nupcoming contracts that require the exchange of PIT and other Departmental data between the\ncontractor and the Department that need to include this security coverage. All current contracts\nto be covered will need to be modified to include the applicable clause, within 60 days of the date\nof this memorandum. Thus, there is a 60-day grace peri od on all current contracts, after which,\nunder the security clause, laptops or devices not covered by certification letters may not be used\non DOJ contracts. Contracting officers should alert contractors of this requirement as soon as\npossible in order to avoid disruption in the use of laptops. A request fo r a waiver fro m the\nrequirement to include these clauses, or deviations from the language of these clauses (except\nthose that are more stringent), must be made in writing to the Senior Procurement Executive.\nPermission for a deviation or waiver will only be granted in unusual circumstances.\n\n\n\n\n                                             30 \n\n\x0c                                                                                                       APPENDIX IV \n\n\n                                     EXECUTIVE OFFICE OF THE PRESIDENT\n                                           OFF ICE OF MANAGEMENT AND B UDGET\n                                                     WA SH INGTON,O C         20503\n\n\nDE PU T Y OIR E CTOR\nrO R I<IANAGEIooIENT\n\n                                                            May 22, 2007\n        M-07-J6\n\n        MEMORANDUM FOR 1HE HEADS OF EXECUTIVE DEPAR1MENTS AND AGENCIES\n\n        FROM :            Clay Johnson ill\n                          Deputy Director for M ana\n                                                       ~ ent\n        SUBJECT:          Safeguarding Against        3IJ   J espondng to the Breach of Personally Identifiable\n                          fufonnation\n\n        Safeguarding personally identifiable information] in the possession ofthe government 31Jd\n        preventing its breach are essential to ensure the govenunent retains the trust ofthe American\n        public. Thi s is a responsibili ty shared by officials accOlmtable for acininistering operational and\n        privacy and security JXograms.legal counsel, Agencies\' Inspectors General and other law\n        enforcement, and publi c and legislative affairs. It is also a flll1ction of applicable laws, Sllch as\n        the Federal Informatioo Security M3IJagement Act of2002 (FISMA)2 and the Privacy Act of\n                3\n        1974.\n\n        As part of the work of the Identi?, Theft Task Force,4 thi s memonmwm requires agencies to\n        clevelop and implement a breach notifi cati on polic/ within 120 days. The attactunents to this\n        memorandnn outline the fram ework within which agencies must develop this breach notification\n        policy1 while enSllring proper safeguards :rre in place to protect the infonnation. Agencies !fJould\n\n        1 The tenn "personally identifiable infonnation~ refers to information which can b e used to dstinguish or trace an\n        individual \'s identity, such as their name, social security number, biometric records, etc. alone, or when combined\n        with ether personal or identifying infonnation which i s linked or linkIDle to a specific indivirual, such as date and\n        rlace of birth, mether\'s maiden name, etc.\n           TItle m cfthe E-Govemment Act of 2002, Pub, L. No. 107-347.\n        l 5 U.S.C. \xc2\xa7 552a,\n        <I Executive Qder 13402 charged the Identity Theft Task Force with developing a comprehensive strategic pial for\n         steps th e federal govenunent can take to combat identity theft, and recommending actions whi ch can be taken by the\n        pulEc and private sectors. en April 23, 2007 the TaskForee submitted its report to the President, titled "Combating\n        Identity Theft: A Strategic PI aJ ," This report is available at www.idhtft gov,\n        } Foc th e purposes cf this policy, th e term " breach" is used to include the loss of control , compromise, unauthorized\n         di sclosure, unauthorized acquisition, unauthorized access, 01" any similar term ref erring to situati ons where persons\n         other than :uthorized users andfOl" al other than authorized purpose have access or petential access to personally\n        identifiable infonnation , whether physical or electroni c,\n        6 Agencies shoold use a best ju~ment standard to develop andimpl ement a breach netification policy. Using a best\n        judgment stand:rd, the sensitivity of certain terms , such as personally identifiable infOimation, can be detennined in\n         context For exampl e, al office rol odex contains personally identifiabl e infonnation (name, phone number, etc.). In\n        this context the infonn ation probaUy wooldnot be coosidered sensitive; however, the same infonnation in a\n         database cf patients a a clinic which treats contagious dsease probably would be considered sensi tive infonnation,\n         Simil arty, using a best judgment standard, discar cing a document with th e author\'s name on th e froot (ald no other\n        rersonal ly identifi aUe infonnation) into an office trashcan li kely would not warrant netifi (!2tion to US-CERT.\n           Terms not specifically defined within thi s 1ifemorandum (e.g., sensitive) should be coosidered to reflect th e\n         definition found in \'" commonly ,"cc"Pted diction"\'Y\n\n\n\n\n                                                                 31 \n\n\x0cnote the privacy and security requirements addressed in this Memorandum apply to all Federal\ninformation and information systems. 8 Breaches subject to notification requirements include\nboth electronic systems as well as paper documents. In short, agencies are required to report on\nthe security of information systems in any formant (e.g., paper, electronic, etc.). 9\n\nIn formulating a breach notification policy, agencies must review their existing requirements\nwith respect to Privacy and Security (see Attachment 1). The policy must include existing and\nnew requirements for Incident Reporting and Handling (see Attachment 2) as well as External\nBreach Notification (see Attachment 3). Finally, this document requires agencies to develop\npolicies concerning the responsibilities of individuals authorized to access personally identifiable\ninformation (see Attachment 4).\n\nWithin the framework set forth in the attachments, agencies may implement more stringent\npolicies and procedures reflecting the mission of the agency. While this framework identifies a\nnumber of steps to greatly reduce the risks related to a data breach of personally identifiable\ninformation, it is important to emphasize that a few simple and cost-effective steps may well\ndeliver the greatest benefit, such as:\n\n    o    reducing the volume of collected and retained information to the minimum necessary;\n    o    limiting access 10 to only those individuals who must have such access; and\n    o    using encryption, strong authentication procedures, and other security controls to make\n         information unusable by unauthorized individuals.\n\nThis Memorandum should receive the widest possible distribution within your agency and each\naffected organization and individual should understand their specific responsibilities for\nimplementing the procedures and requirements. Materials created in response to this\nMemorandum and attachments should be made available to the public through means determined\nby the agency, e.g., posted on the agency web site, by request, etc.\n\nConsistent with longstanding policy requiring agencies to incorporate the costs for securing their\ninformation systems, all costs of implementing this memorandum, including development,\n\n\n\n8 FISMA security requirements apply to Federal information and information systems, including both paper and\nelectronic [onnat.\n9 A plan to review the controls for information systems not previously included in other security reviews must be\naddressed in the agency\'s breach notification policy (e.g., timefrarne for completion of review, etc.); however,\ncompletion of the review for those systems is not required to be finished within the 120-day timeframe for\ndevelopment of the policy.\n10 In this policy, "access" means the ability or opportunity to gain knowledge of personally identifiable information.\n\n\n\n\n                                                        32 \n\n\x0cimplementation, notification to affected individuals, and any remediation activities, will be\naddressed through existing agency resources of the agency experiencing the breach.\n\nBecause of the many alternate ways to implement a risk-based program within the framework\nprovided, this Memorandum, or its attachments, should not be read to mean an agency\'s failure\nto implement one or more of the many security provisions discussed within ll would constitute\nless than adequate protections required by the Privacy Act. These new requirements do not create\nany rights or benefits, substantive or procedural, which are enforceable at law against the\ngovernment.\n\nQuestions about this Memorandum should be directed to Hillary Jaffe of my staff at\nhjaffe@omb.eop.gov.\n\nAttachments\n\n\n\n\n11For example, FISMA or associated standards, policies, or guidance issued by OMB or tlie National Institute of\nStandards and Ieclinology (NISI).\n\n\n\n\n                                                      33 \n\n\x0cAttachment 1: Safeguarding Against the Breach of Personally Identifiable Infonnation\n\nThis Attachment reemphasizes the responsibilities under existing law, executive orders,\nregulations, and policy to appropriately safeguard personally identifiable information and train\nemployees on responsibilities in this area (Section A).12 It also establishes two new privacy\nrequirements and discusses five security requirements as described below (Sections B and C).\n\nA. Current Requirements\n\n1. Privacy Act Requirements. In particular, the Privacy Act of 1974 (Privacy Act)13 requires\neach agency to:\n\n    a. Establish Rules of Conduct. Agencies are required to establish "rules of conduct for\npersons involved in the design, development, operation, or maintenance of any system of\nrecords, or in maintaining any record, and instruct each such person with respect to such rules\nand the requirements of [the Privacy Act], including any other rules and procedures adopted\npursuant to [the Privacy Act] and the penalties for noncompliance." (5 U.S.C. \xc2\xa7 552a(e )(9))\n\n    b. Establish Safeguards. Agencies are also required to "establish appropriate administrative,\ntechnical, and physical safeguards to insure the security and confidentiality of records and to\nprotect against any anticipated threats or hazards to their security or integrity which could result\nin substantial harm, embarrassment, inconvenience or unfairness to any individual on whom\ninformation is maintained." 14\n\n    c. Maintain accurate, relevant, timelv and complete information. The Privacy Act also\nrequires personally identifiable information within a system of records to be maintained in a\nmanner that is accurate, relevant, timely, and complete including through the use of notices to the\n       15\npublic. It is important for agencies to fulfill their responsibilities with respect to identifying\nsystems of records and developing and publishing notices as required by the Privacy Act and\n\n\n\n12 This Memorandum, or its attachments, should not be read to mean an agency\'s failure to implement one or more\nof the many provisions ofFISMA or associated standards, policies, or guidance issued by OMB or the National\nInstitute of Standards and Technology (NIST) would constitute less than adequate protections required by the\nPrivacy Act of 1974.\n13 5U.S.C. \xc2\xa7552a.\n14\n   5 U.SC. \xc2\xa7 552a (e)(lO).\n15 The Privacy Act requires agencies to "maintain all records which are used by the agency in making any\ndetermination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably\nnecessary to assure fairness to the individual in the detennination" in their systems of records. 5 U.S.c. \xc2\xa7\n552a(e)(5).\n\n\n\n\n                                                    34 \n\n\x0cOMB\'s implementing policies. 16 By collecting only the infonnation necessary and managing it\nproperly, agencies can often reduce the volume of information they possess, the risk to the\ninfonnation, and the burden of safeguarding it.\n\n2. Security Requirements.\n\n     Below are four particularly important existing security requirements agencies already should\nbe implementing:\n\n    a. Assign an impact level to all information and infonnation systems. Agencies must follow\nthe processes outlined in Federal Infonnation Processing Standard (FIPS) 199, Standards for\nSecurity Categorization ofFederal Information and Information Systems, to categorize all\ninfonnation and infonnation systems according to the standard\'s three levels of impact (i.e., low,\nmoderate, or high). Agencies should generally consider categorizing sensitive personally\nidentifiable infonnation (and infonnation systems within which such infonnation resides) as\nmoderate or high impact.\n\n    b. Implement minimum security requirements and controls. For each of the impact levels\nidentified above, agencies must implement the minimum security requirements and minimum\n(baseline) security controls set forth in FIPS 200, Minimum Security Requirements for Federal\nInformation and Information Systems, and NIST Special Publication 800-53, Recommended\nSecurity Controls for Federal Information Systems, respectively.\n\n    c. Certify and accredit infonnation systems. Agencies must certify and accredit (C&A) all\ninfonnation systems supporting the operations and assets of the agency, including those provided\nor managed by another agency, contractor, or other source. 17 The specific procedures for\nconducting C&A are set out in NIST Special Publication 800-37, Guide for the Security\nCertification and Accreditation ofFederal Information Systems, and include guidance for\ncontinuous monitoring of certain security controls. Agencies\' continuous monitoring should\nassess a subset of the management, operational, and technical controls used to safeguard such\ninfonnation (e.g., Privacy Impact Assessments).\n\n    d. Train employees. Agencies must initially train employees (including managers) on their\nprivacy and security responsibilities before pennitting access to agency infonnation and\ninfonnation systems. Thereafter, agencies must provide at least annual refresher training to\n\n14 The Privacy Act requires agencies to publish a notice of any new or intended use of infonnation maintained in a\nsystem ofrecords in the Federal Register to provide an opportunity for the public to submit comments. 5 US.C \xc2\xa7\n552a(e)(4). Agencies are also required to publish notice of any subsequent substantive revisions to the use of\ninformation maintained in the system of records. 5 US.C \xc2\xa7 552a(e)(11). OMB Circular A-130 C"Management of\nFederal Information Resources") offers additional guidance on this issue. OMB Circular A-l30, App. I, sec. 4.c.\n17 44 USC 3544(b).\n\n\n\n\n                                                       35 \n\n\x0censure employees continue to understand their responsibilities. 18 Additional or advanced\ntraining should also be provided commensurate with increased responsibilities or change in\nduties.\n\nBoth initial and refresher training must include acceptable rules of behavior and the\nconsequences when the rules are not followed. For agencies implementing tele-work and other\nauthorized remote access programs, training must also include the rules of such programs. 19\n\nB. Privacy Requiremeuts\n\n1. Review and Reduce the Volume of Persoually Ideutifiable Iuformatiou.\n\n    a. Review Current Holdings. Agencies must now also review their current holdings of all\npersonally identifiable information and ensure, to the maximum extent practicable, such holdings\nare accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the\nproper performance of a documented agency function. 20 Agency-specific implementation plans\nand progress updates regarding this review will be incorporated as requirements in agencies\'\nannual report under FISMA.\n\nFollowing this initial review, agencies must develop and make public a schedule by which they\nwill periodically update the review of their holdings. This schedule may be part of an agency\'s\nannual review and any consolidated publication of minor changes of Privacy Act systems of\nrecords notices.\n\nTo help safeguard personally identifiable information, agencies are reminded they must meet the\nrequirements of FISMA and associated policies and guidance from the OMB and NIST. 21\nFISMA requires each agency to implement a comprehensive security program to protect the\nagency\'s information and information systems; agency Inspectors General must independently\nevaluate the agency\'s program; and agencies must report annually to OMB and Congress on the\neffectiveness of their program.\n\n18 Agencies may schedule training to coincide with existing activities, such as ethics training. Communications and\ntraining related to privacy and security must be job-specific and commensurate with the employee\'s responsibilities.\nThe Department of Defense, the Office of Personnel Management, and the Department of State offer agencies a\nminimum baseline of security awareness training as part of the Infonnation Systems Security Line of Business.\n19 Agencies should also consider augmenting their training by using creative methods to promote daily awareness of\nemployees\' privacy and security responsibilities, such as weekly tips, mouse pads imprinted with key security\nreminders, privacy screens for public use of laptops, and incentives for reporting security risks.\n20 To the extent agencies are substantively performing these reviews, agencies should leverage these efforts to meet\nthe new privacy requirements. This provision does not apply to apply to the accessioned holdings (archival records)\nheld by the National Archives and Records Administration (NARA).\n21 The Department of Defense and Intelligence Community establish their own policy and guidance for the security\nof their information systems. 44 U.S.c. 3543(c).\n\n\n\n\n                                                       36 \n\n\x0cWithin the above framework, agencies may implement more stringent procedures governed by\nspecific laws, regnlations, and agency procedures to protect certain information, for example,\ntaxpayer data, census information, and other information.\n\n2.       Reduce the Use of Social Security Numbers.\n\n    a. Eliminate Unnecessary Use. Agencies must now also review their use of social security\nnumbers in agency systems and programs to identify instances in which collection or use of the\nsocial security number is superfluous. Within 120 days from the date of this memo, agencies\nmust establish a plan in which the agency will eliminate the unnecessary collection and use of\nsocial security numbers within eighteen months. 22\n\n    b. Explore Alternatives. Agencies must participate in government-wide efforts to explore\nalternatives to agency use of Social Security Numbers as a personal identifier for both Federal\nemployees and in Federal programs (e.g., surveys, data calls, etc.).\n\nc.   Security Requirements\n\nWhile agencies continue to be responsible for implementing all requirements of law and policy,\nbelow are five requirements 23 agencies must implement which derive from existing security\npolicy and NIST gnidance. These requirements are applicable to all Federal information, e.g.,\nlaw enforcement information, etc.\n\n     \xe2\x80\xa2     Encryption. Encrypt, using only NIST certified cryptographic modules, 24 all data on\n           mobile computers/devices carrying agency data unless the data is determined not to be\n           sensitive, in writing, by your Deputy Secretary25 or a senior-level individual he/she may\n           designate in writing;\n     \xe2\x80\xa2     Control Remote Access. Allow remote access only with two-factor authentication where\n           one of the factors is provided by a device separate from the computer gaining access;\n     \xe2\x80\xa2     Time-Out Function. Use a "time-out" function for remote access and mobile devices\n           requiring user re-authentication after thirty minutes of inactivity;\n     \xe2\x80\xa2     Log and Verify. Log all computer-readable data extracts from databases holding\n           sensitive information and verify each extract, including whether sensitive data has been\n           erased within 90 days or its use is still required; and\n\n22 Agencies with questions addressing this assignment regarding the Paperwork Reduction Act of 1995 (44 U. S. C.\n3501 et seq.) should contact their respective desk officer at the Office of Management and Budget.\n23 See OMB Memo 06-16 "Protection of Sensitive Agency Information"\n(www. whitehouse. gov 10m b/m em oranda/fy2006/m 06-16. pdD.\n24 See NISI\'s website at http://csrc.nist.gov/cryptvali for a discussion of the certified encryption products.\n25 Non cabinet agencies should consult the equivalent of a Deputy Secretary.\n\n\n\n\n                                                       37 \n\n\x0c   \xe2\x80\xa2   Ensure Understanding of Responsibilities. Ensure all individuals with authorized access\n       to personally identifiable infonnation and their supervisors sign at least annually a\n       document clearly describing their responsibilities.\n\nAgencies should also contemplate and incorporate best practices to prevent data breaches.\nExamples of such practices might include using privacy screens when working outside the office\nor requiring employees to include laptop computers in carry-on luggage rather than checked\nbaggage.\n\n\n\n\n                                            38 \n\n\x0cAttachment 2: Incident Reporting and Handling Requirements\n\nThis Attachment applies to security incidents involving the breach of personally identifiable\ninfonnation whether in electronic or paper fonnat. For the purposes of reporting, agencies must\ncontinue to follow existing requirements, as modified and described below.\n\nA. Existing Requirements\n\n1. FISMA Requirements. FISMA requires each agency to:\n\n     \xe2\x80\xa2   implement procedures for detecting, reporting and responding to security incidents,\n         including mitigating risks associated with such incidents before substantial damage is\n         done\n     \xe2\x80\xa2   notify and consult with:\n             o the Federal infonnation security incident center\n             o law enforcement agencies and Inspectors General\n             o an office designated by the President for any incident involving a national security\n                 system\n             o any other afency or office in accordance with law or as directed by the\n                 President. 2\n     \xe2\x80\xa2   implement NIST guidance and standards 27\n\nFederal Infonnation Processing Standards Publication 200 (FIPS 200) and NIST Special\nPublication 800-53 provide a framework for categorizing infonnation and infonnation systems,\nand provide minimum security requirements and minimum (baseline) security controls for\nincident handling and reporting. The procedures agencies must already use to implement the\nabove FISMA requirements are found in two primary guidance documents: NIST Special\n                                                                   28\nPublication 800-61, Computer Security Incident Handling GUide ; and the concept of operations\nfor the Federal security incident handling center located within the Department of Homeland\nSecurity, i.e., United States Computer Emergency Readiness Team (US_CERT)29\n\n\n\n\n26 44 USC \xc2\xa7 3544(b)(7).\n27 For additional information on NISI guidance and standards, see www.nist.gov.\n28 See "Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and\nTechnology" (http://csrc.nist. gov Ipublications/nistpubs/800-6l Isp800-6l. pdD.\n29 The responsibilities of US-CERT are outlined in 44 US.C \xc2\xa7 3546. Its complete set of operating procedures may\nbe found on the US-CERT website (www.us-cert.gov/federalireportingReguirements.html). Separate procedures are\nin place for the Department of Defense as identified in Directive 0-8530-1 and all components report incidents to\nthe Joint Task Force Global Network Operations (JTF-GNO), which, in turn, coordinates directly with the US\xc2\xad\nCERT.\n\n\n\n\n                                                      39 \n\n\x0c2. Incident Handling and Response Mechanisms. When faced with a security incident, an\nagency must be able to respond in a manner protecting both its own information and helping to\nprotect the information of others who might be affected by the incident. To address this need,\nagencies must establish formal incident response mechanisms. To be fully effective, incident\nhandling and response must also include sharing information concerning common vulnerabilities\nand threats with those operating other systems and in other agencies. In addition to training\nemployees on how to prevent incidents, all employees must also be instructed in their roles and\nresponsibilities regarding responding to incidents should they occur.\n\nB. Modified Agency Reporting Requirements\n\n1. US-CERT Modification. Agencies must report all incidents involving personally\nidentifiable information to US-CER T. This reporting requirement does not distinguish between\npotential and confirmed breaches. The US-CERT concept of operations for reporting Category I\nincidents is modified as follows:\n\n   Category l. Unauthorized Access or Any Incident Involving Personally Identifiable\n   Information. In this category agencies must report when: I) an individual gains logical or\n   physical access without permission to a federal agency network, system, application, data, or\n   other resource; or 2) there is a suspected or confirmed breach of personally identifiable\n   information regardless of the manner in which it might have occurred. Reporting to US\xc2\xad\n   CERT is required within one hour of discovery/detection.\n       \xe2\x80\xa2 For incidents involving personally identifiable information, agencies must:\n               o Continue to follow internal agency procedures for notifying agency officials\n                   including your agency privacy official and Inspector General;\n               o Notify the issuing bank if the breach involves government-authorized credit\n                   cards; and\n               o Notify US-CERT within one hour. Although only limited information about\n                   the breach may be available, US-CERT must be advised so it can assist in\n                   coordinating communications with the other agencies. Updates should be\n                   provided as further information is obtained.\n       \xe2\x80\xa2 Under specific procedures established for these purposes, after notification by an\n           agency, US-CERT will notify the appropriate officials.\n       \xe2\x80\xa2 Monthly, US-CERT will distribute to designated officials in the agencies and\n           elsewhere, a report identifying the number of confirmed breaches of personally\n           identifiable information and will also make available a public version ofthe report.\n\n2. Develop and Publish a Routine Use.\n\n   a. Effective Response. A federal agency\'s ability to respond quickly and effectively in the\nevent of a breach of federal data is critical to its efforts to prevent or minimize any consequent\n\n\n\n\n                                               40 \n\n\x0chann. 30 An effective response necessitates disclosure of infonnation regarding the breach to\nthose individuals affected by it, as well as to persons and entities in a position to cooperate,\neither by assisting in notification to affected individuals or playing a role in preventing or\nminimizing hanns from the breach.\n\n    b. Disclosure ofInfonnation. Often, the infonnation to be disclosed to such persons and\nentities is maintained by federal agencies and is subject to the Privacy Act (5 U.S.C. \xc2\xa7 552a).\nThe Privacy Act prohibits the disclosure of any record in a system of records by any means of\ncommunication to any person or agency absent the written consent of the subject individual,\nunless the disclosure falls within one of twelve statutory exceptions.3l In order to ensure an\nagency is in the best position to respond in a timely and effective manner, in accordance with 5\nU.S.C. \xc2\xa7 552a(b )(3) of the Privacy Act, agencies should publish a routine use for appropriate\nsystems specifically applying to the disclosure of infonnation in connection with response and\nremedial efforts in the event of a data breach as follows:\n\n        To appropriate agencies, entities, and persons when (I) [the agency] suspects or\n        has confirmed that the security or confidentiality of infonnation in the system of\n        records has been compromised; (2) the Department has detennined that as a result\n        of the suspected or confinned compromise there is a risk of harm to economic or\n        property interests, identity theft or fraud, or harm to the security or integrity of\n        this system or other systems or programs (whether maintained by the Department\n        or another agency or entity) that rely upon the compromised infonnation; and (3)\n        the disclosure made to such agencies, entities, and persons is reasonably\n        necessary to assist in connection with the Department\'s efforts to respond to the\n        suspected or confinned compromise and prevent, minimize, or remedy such\n              32\n        hann.\n\nAs described in the President\'s Identity Theft Task Force\'s Strategic Plan, all agencies should\npublish a routine use for their systems of records allowing for the disclosure of infonnation in the\ncourse of responding to a breach of federal data. 33 Such a routine use will serve to protect the\ninterests of the individuals whose infonnation is at issue by allowing agencies to take appropriate\nsteps to facilitate a timely and effective response, thereby improving their ability to prevent,\nminimize, or remedy any hann resulting from a compromise of data maintained in their systems\nof records.\n\n\n\n30 Here, "hann" means damage, fiscal damage, or loss or misuse of information which adversely affects one or more\nindividuals or undermines the integrity of a system or program.\n31\n   5 USC \xc2\xa7\xc2\xa7 552a(b)(J)-(12).\n32 See Appendix B of the Identity Theft Task Force report (www.identitytheft.govireportsiStrategicPlan.pdo.\n33Id\n\n\n\n\n                                                     41 \n\n\x0cAttachment 3: External Breach Notification\n\nTo ensure consistency across government, this Attachment identifies the questions and factors\neach agency should consider in determining when notification outside the agency should be\n                                         34\ngiven and the nature of the notification. This Attachment does not attempt to set a specific\nthreshold for external notification since breaches are specific and context dependant and\nnotification is not always necessary or desired. The costs of any notifications must be borne by\nthe agency experiencing the breach from within existing resources.\n\nA. Background\n\n1. Harm. Breaches can implicate a broad range of harms to individuals, including the potential\nfor identity theft; however, this Section does not discuss actions to address possible identity theft\nor fraud. Agencies are referred to the ID Theft Task Force\'s Strategic Plan for guidance.\n\n2. Requirement. Agencies must implement the one specific new requirement discussed below;\ni.e., develop a breach notification policy and plan (see Section B. below).\n\n3. Threshold questions. Both the decision to provide external notification on the occasion of a\nbreach and the nature of the notification will require agencies to resolve a number of threshold\nquestions. 35 The likely risk of harm and the level of impact will determine when, what, how and\nto whom notification should be given. 36\n\nNotification of those affected and/or the public allows those individuals the opportunity to take\nsteps to help protect themselves from the consequences of the breach. Such notification is also\nconsistent with the "openness principle" of the Privacy Act that calls for agencies to inform\nindividuals about how their information is being accessed and used, and may help individuals\nmitigate the potential harms resulting from a breach.\n\n4. Chilling Effects of Notices. A number of experts have raised concerns about unnecessary\nnotification and the chilling effect this may have on the pUblic. 37 In addition, agencies should\n\n34 These factors do not apply to an agency\'s notification to US-CERT. Agencies must report all incidents - potential\nand confirmed - involving personally identifiable information to US-CERT.\n35 Notice may not be necessary if, for example, the information is properly encrypted because the information would\nbe unusable.\n36 See OMB\'s September 20, 2006 memorandum titled "Recommendations for Identity Theft Related Data Breach\nNotification" for information and recommendations for planning and responding to data breaches which could result\nin identity theft (www.whitehouse.gov/omb/memoranda/fy2006!task force theft memo.pdf) .\n37 Federal Trade Commission, Prepared Statement of the Federal Trade Commission Before the Committee on\nCommerce, Science, and Transportation, u.s. Senate, on Data Breaches and Identity Theft (Washington, D.C: June\n16,2005), p. 10. In this testimony, the Federal Trade Commission raised concerns about the threshold for which\nconsumers should be notified of a breach, cautioning that too strict a standard could have several negative effects.\n\n\n\n\n                                                       42 \n\n\x0cconsider the costs to individuals and businesses of responding to notices where the risk of hann\nmay be low. Agencies should exercise care to evaluate the benefit of notifying the public of low\nimpact incidents.\n\nB. New Requirement\n\nEach agency should develop a breach notification policy and plan comprising the elements\ndiscussed in this Attachment. In implementing the policy and plan, the Agency Head will make\nfinal decisions regarding breach notification.\n\nSix elements should be addressed in the policy and plan and when considering external\nnotification:\n\n     \xe2\x80\xa2   whether breach notification is required\n     \xe2\x80\xa2   timeliness of the notification\n     \xe2\x80\xa2   source of the notification\n     \xe2\x80\xa2   contents of the notification\n     \xe2\x80\xa2   means of providing the notification\n     \xe2\x80\xa2   who receives notification: public outreach in response to a breach\n\nTo ensure adequate coverage and implementation of the plan, each agency should establish an\nagency response team including the Program Manager of the program experiencing the breach,\nChiefInfonnation Officer, Chief Privacy Officer or Senior Official for Privacy, Communications\nOffice, Legislative Affairs Office, General Counsel and the Management Office which includes\nBudget and Procurement functions. 38 A more detailed description of these elements is set forth\nbelow:\n\n1. Whether Breach Notification is Required\n\nTo detennine whether notification of a breach is required, the agency should first assess the\nlikely risk of harm caused by the breach and then assess the level of risk. Agencies should\nconsider a wide range ofhanns, such as hann to reputation and the potential for harassment or\nprejudice, particularly when health or financial benefits infonnation is involved in the breach. 39\nAgencies should bear in mind that notification when there is little or no risk of hann might create\n\n\n38Non-Cabinet-level agencies should include their functional equivalent.\n39For reference, the express language of the Privacy Act requires agencies to consider a wide range of hanns:\nagencies shall "establish appropriate administrative, technical and physical safeguards to insure the security and\nconfidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which\ncould result in substantial hann, embarrassment, inconvenience, or unfairness to any individual on whom\ninformation is maintained." 5 u.S.C \xc2\xa7 552a (e)(IO).\n\n\n\n\n                                                         43 \n\n\x0cunnecessary concern and confusion. 40 Additionally, under circumstances where notification\ncould increase a risk of harm, the prudent course of action may be to delay notification while\nappropriate safeguards are put in place.\n\nFive factors should be considered to assess the likely risk of harm:\n\n    a. Nature ofthe Data Elements Breached. The nature of the data elements compromised is a\nkey factor to consider in determining when and how notification should be provided to affected\nindividuals. 41 It is difficult to characterize data elements as creating a low, moderate, or high risk\nsimply based on the type of data because the sensitivity of the data element is contextual. A\n                                                                        42\nname in one context may be less sensitive than in another context. In assessing the levels of\nrisk and harm, consider the data element(s) in light of their context and the broad range of\npotential harms flowing from their disclosure to unauthorized individuals.\n\n    b. Number ofIndividuals Affected. The magnitude of the number of affected individuals\nmay dictate the methodes) you choose for providing notification, but should not be the\ndetermining factor for whether an agency should provide notification.\n\n    c. Likelihood the Information is Accessible and Usable. Upon learning of a breach, agencies\nshould assess the likelihood personally identifiable information will be or has been used by\nunauthorized individuals. An increased risk that the information will be used by unauthorized\nindividuals should influence the agency\'s decision to provide notification.\n\nThe fact the information has been lost or stolen does not necessarily mean it has been or can be\naccessed by unauthorized individuals, however, depending upon a number of physical,\ntechnological, and procedural safeguards employed by the agency. (See Attachment 1 above.) If\nthe information is properly protected by encryption, for example, the risk of compromise may be\nlow to non-existent. 43\n\nAgencies will first need to assess whether the personally identifiable information is at a low,\nmoderate, or high risk of being compromised. The assessment should be guided by NIS T\n\n\n40 Another consideration is a surfeit of notices, resulting from notification criteria which are too strict, could render\nall such notices less effective, because consumers could become numb to them and fail to act when risks are truly\nsignificant.\n41 For example, theft of a database containing individuals\' names in conjunction with Social Security numbers,\nand/or dates of birth may pose a high level ofrisk of harm, while a theft of a database containing only the names of\nindividuals may pose a lower risk, depending on its context.\n42 For example, breach of a database of names of individuals receiving treatment for contagious disease may pose a\nhigher risk of hann, whereas a database of names of subscribers to agency media alerts may pose a lower risk of\nharm.\n43 In this context, proper protection means encryption has been validated by NISI.\n\n\n\n\n                                                          44 \n\n\x0c2. Timeliness of the Notification\n\nAgencies should provide notification without unreasonable delay following the discovery of a\nbreach, consistent with the needs of law enforcement and national security and any measures\nnecessary for your agency to determine the scope of the breach and, if applicable, to restore the\nreasonable integrity of the computerized data system compromised.\n\nDecisions to delay notification should be made by the Agency Head or a senior-level individual\nhe/she may designate in writing. In some circumstances, law enforcement or national security\nconsiderations may require a delay if it would seriously impede the investigation of the breach or\nthe affected individual. However, any delay should not exacerbate risk or harm to any affected\nindividual( s).\n\n3. Source of the Notification\n\nIn general, notification to individuals affected by the breach should be issued by the Agency\nHead, or senior-level individual he/she may designate in writing, or, in those instances where the\nbreach involves a publicly known component of an agency, such as the Food and Drug\nAdministration or the Transportation Security Administration, the Component Head. This\ndemonstrates it has the attention of the chief executive of the organization. Notification\ninvolving only a limited number of individuals (e.g., under 50) may also be issued jointly under\nthe auspices of the ChiefInformation Officer and the Chief Privacy Officer or Senior Agency\nOfficial for Privacy. This approach signals the agency recognizes both the security and privacy\nconcerns raised by the breach.\n\nWhen the breach involves a Federal contractor or a public-private partnership operating a system\nof records on behalf of the agency, the agency is responsible for ensuring any notification and\ncorrective actions are taken. The roles, responsibilities, and relationships with contractors or\npartners should be reflected in your breach notification policy and plan, your system certification\nand accreditation documentation, and contracts and other documents.\n\n4. Contents of the Notification\n\nThe notification should be provided in writing and should be concise, conspicuous, plain\nlanguage. The notice should include the following elements:\n\n   \xe2\x80\xa2   A brief description of what happened, including the date(s) of the breach and of its\n       discovery;\n\n\n\n\n                                               45 \n\n\x0csecurity standards and guidance. Other considerations may include the likelihood any\nunauthorized individual will know the value of the information and either use the information or\nsell it to others.\n\nd. Likelihood the Breach May Lead to Harm\n\n        1. Broad Reach ofPotential Harm. The Privacy Act requires agencies to protect against\nany anticipated threats or hazards to the security or integrity of records which could result in\n"substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom\ninformation is maintained. ,,44 Additionally, agencies should consider a number of possible harms\nassociated with the loss or compromise of information. Such harms may include the effect of a\nbreach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of\nprivate facts, mental pain and emotional distress, the disclosure of address information for\nvictims of abuse, the potential for secondary uses of the information which could result in fear or\nuncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem.\n\n        2. Likelihood Harm Will Occur. The likelihood a breach may result in harm will depend\non the manner of the actual or suspected breach and the type(s) of data involved in the incident.\nSocial Security numbers and account information are useful to committing identity theft, as are\ndate of birth, passwords, and mother\'s maiden name. If the information involved, however, is a\nname and address or other personally identifying information, the loss may also pose a\nsignificant risk of harm if, for example, it appears on a list of recipients patients at a clinic for\ntreatment of a contagious disease.\n\nIn considering whether the loss of information could result in identity theft or fraud, agencies\n                                                            45\nshould consult guidance from the Identity Theft Task Force\n\n    e. Ability ofthe Agency to Mitigate the Risk of Harm. Within an information system, the\nrisk of harm will depend on how the agency is able to mitigate further compromise of the\nsystem( s) affected by a breach. In addition to containing the breach, appropriate\ncountermeasures, such as monitoring system(s) for misuse of the personal information and\n                                                    46\npatterns of suspicious behavior, should be taken. Such mitigation may not prevent the use of\nthe personal information for identity theft, but it can limit the associated harm. Some harm may\nbe more difficult to mitigate than others, particularly where the potential injury is more\nindividualized and may be difficult to determine.\n\n\n445 USC \xc2\xa7 552a(e)(IO).\n45 See "Recommendations for Identity Theft Related Data Breach Notification"\n\n(www. whitehouse. gov 10m blm em oranda/fy2006!task force theft m em o. pdf) .\n46 For example, if the infonnation relates to disability beneficiaries, monitoring a beneficiary database for requests\nfor change of address may signal fraudulent activity.\n\n\n\n\n                                                         46 \n\n\x0c    \xe2\x80\xa2   To the extent possible, a description of the types of personal infonnation involved in the\n        breach (e.g., full name, Social Security number, date of birth, home address, account\n        number, disability code, etc.);\n    \xe2\x80\xa2   A statement whether the infonnation was encrypted or protected by other means, when\n        detennined such infonnation would be beneficial and would not compromise the security\n        of the system;\n    \xe2\x80\xa2   What steps individuals should take to protect themselves from potential hann, if any;\n    \xe2\x80\xa2   What the agency is doing, if anything, to investigate the breach, to mitigate losses, and to\n        protect against any further breaches; and\n    \xe2\x80\xa2   Who affected individuals should contact at the agency for more infonnation, including a\n        toll-free telephone number, e-mail address, and postal address.\n\nGiven the amount of infonnation required above, you may want to consider layering the\ninfonnation as suggested in Section 5 below, providing the most important infonnation up front,\nwith the additional details in a Frequently Asked Questions (F AQ) fonnat or on your web site. If\nyou have knowledge the affected individuals are not English speaking, notice should also be\nprovided in the appropriate language( s). You may seek additional guidance on how to draft the\nnotice from the Federal Trade Commission, a leader in providing clear and understandable\nnotices to consumers, as well as from communication experts who may assist you in designing\n               47\nmodel notices. A standard notice should be part of your approved breach plan.\n\n5. Means of Providing Notification\n\nThe best means for providing notification will depend on the number of individuals affected and\nwhat contact infonnation is available about the affected individuals. Notice provided to\nindividuals affected by a breach should be commensurate with the number of people affected and\nthe urgency with which they need to receive notice. The following examples are types of notice\nwhich may be considered.\n\n    a. Telephone. Telephone notification may be appropriate in those cases where urgency may\ndictate immediate and personalized notification and/or when a limited number of individuals are\naffected. Telephone notification, however, should be contemporaneous with written notification\nby first-class mail.\n\n\n\n\n47 Additional guidance on how to draft a notice is available in the FTC publication titled "Dealing with a Data\nBreach" Cwww.ftc.gov/bcp/edu/microsites/idtheft/business/data-breach.htmll. Although the brochure is designed for\nprivate sector entities that have experienced a breach, it contains sample notice letters that could also serve as a\nmodel for federal agencies. You may also seek guidance from communications experts who may assist you in\ndesigning model notices.\n\n\n\n\n                                                      47 \n\n\x0c    b. First-Class Mail. First-class mail notification to the last known mailing address of the\nindividual in your agency\'s records should be the primary means notification is provided. Where\nyou have reason to believe the address is no longer current, you should take reasonable steps to\nupdate the address by consulting with other agencies such as the US Postal Service. The notice\nshould be sent separately from any other mailing so that it is conspicuous to the recipient. If the\nagency which experienced the breach uses another agency to facilitate mailing (for example, if\nthe agency which suffered the loss consults the Internal Revenue Service for current mailing\naddresses of affected individuals), care should be taken to ensure the agency which suffered the\nloss is identified as the sender, and not the facilitating agency. The front of the envelope should\nbe labeled to alert the recipient to the importance of its contents, e.g., "Data Breach Information\nEnclosed" and should be marked with the name of your agency as the sender to reduce the\nlikelihood the recipient thinks it is advertising mail.\n\n    c. E-Mail. E-mail notification is problematic, because individuals change their e-mail\naddresses and often do not notify third parties of the change. Notification by postal mail is\npreferable. However, where an individual has provided an e-mail address to you and has\nexpressly given consent to e-mail as the primary means of communication with your agency, and\nno known mailing address is available, notification bye-mail may be appropriate. E-mail\nnotification may also be employed in conjunction with postal mail if the circumstances of the\nbreach warrant this approach. E-mail notification may include links to the agency and\nwww.USA.gov 48 web sites, where the notice may be "layered" so the most important summary\nfacts are up front with additional information provided under link headings.\n\n    d. Existing Government Wide Services. Agencies should use Government wide services\nalready in place to provide support services needed, such as USA Services, including toll free\nnumber of l-800-FedInfo and www.USA.gov.\n\n    e. N ewsoaoers or other Public Media Outlets. Additionally, you may supplement individual\nnotification with placing notifications in newspapers or other public media outlets. You should\nalso set up toll-free call centers staffed by trained personnel to handle inquiries from the affected\nindividuals and the public.\n\n    f. Substitute Notice. Substitute notice in those instances where your agency does not have\nsufficient contact information to provide notification. Substitute notice should consist of a\nconspicuous posting of the notice on the home page of your agency\'s web site and notification to\nmajor print and broadcast media, including major media in areas where the affected individuals\nreside. The notice to media should include a toll-free phone number where an individual can\nlearn whether or not his or her personal information is included in the breach.\n\n48   The current domain name for the Federal Internet portal required by section 204 of the E-Govemment Act of 2002\nIS   www.usa.gov .\n\n\n\n\n                                                        48 \n\n\x0c    g. Accommodations. Special consideration to providing notice to individuals who are\nvisually or hearing impaired consistent with Section 508 of the Rehabilitation Act of 1973 should\nbe given. Accommodations may include establishing a Telecommunications Device for the\nDeaf (TDD) or posting a large type notice on the agency web site.\n\n6. Who Receives Notification: Public Outreach in Response to a Breach\n\n    a. Notification ofIndividuals. The final consideration in the notification process when\nproviding notice is to whom you should provide notification: the affected individuals, the public\nmedia, and/or other third parties affected by the breach or the notification. Unless notification to\nindividuals is delayed or barred for law enforcement or national security reasons, once it has\nbeen determined to provide notice regarding the breach, affected individuals should receive\nprompt notification.\n\n   b. Notification of Third Parties including the Media. If communicating with third parties\nregarding a breach, agencies should consider the following.\n\n        1. Careful Planning. An agency\'s decision to notify the public media will require\ncareful planning and execution so that it does not unnecessarily alarm the public. When\nappropriate, public media should be notified as soon as possible after the discovery of a breach\nand the response plan, including the notification, has been developed. Notification should focus\non providing information, including links to resources, to aid the public in its response to the\nbreach. Notification may be delayed upon the request of law enforcement or national security\nagencies as described above in Section 2. To the extent possible, when necessary prompt public\nmedia disclosure is generally preferable because delayed notification may erode public trust.\n\n         2. Web Posting. Agencies should post information about the breach and notification in a\nclearly identifiable location on the home page of your agency web site as soon as possible after\nthe discovery of a breach and the decision to provide notification to the affected individuals. The\nposting should include a link to Frequently Asked Questions (F AQ) and other talking points to\n                                                                             49\nassist the public\'s understanding of the breach and the notification process     The information\nshould also appear on the www.USA.gov web site. You may also consult with GSA\'s USA\nServices regarding using their call center.\n\n        3. Notification of other Public and Private Sector Agencies. Other public and private\nsector agencies may need to be notified on a need to know basis, particularly those that may be\n\n\n\n49 See the FAQ posted by the Department of Veterans Affairs in response to the May 2006 incident for examples of\nlinks to identity theft resources and a sample FAQ (www.usa.gov/veteransinfo.shtm l).\n\n\n\n\n                                                     49 \n\n\x0caffected by the breach or may playa role in mitigating the potential harms stemming from the\n       50\nbreach\n\n       4. Congressional Inquiries. Agencies should be prepared to respond to inquires from\nother governmental agencies such as the Government Accountability Office and Congress.\n\n    c. Reassess the Level of Impact Assigned to the Information. After evaluating each of these\nfactors, you should review and reassess the level of impact you have already assigned to the\ninformation using the impact levels defined by the NIST. 51 The impact levels -low, moderate,\nand high, describe the (worst case) potential impact on an organization or individual if a breach\n         \xc2\xb7 occurs. 52\nof secunty\n\n    \xe2\x80\xa2   Low: the loss of confidentiality, integrity, or availability is expected to have a limited\n        adverse effect on organizational operations, organizational assets or individuals\n    \xe2\x80\xa2   Moderate: the loss of confidentiality, integrity, or availability is expected to have a\n        serious adverse effect on organizational operations, organizational assets or individuals.\n    \xe2\x80\xa2   High: the loss of confidentiality, integrity, or availability is expected to have a severe or\n        catastrophic adverse effect on organizational operations, organizational assets or\n        individuals.\n\nThe impact levels will help determine when and how notification should be provided. Where\nthere is a range of risk levels attributed to the factors, the decision to provide notification should\ngive greater weight to the likelihood the information is accessible and usable and whether the\nbreach may lead to harm. If agencies appropriately apply the five risk factors discussed in\nsection 1 of this attachment within the fact-specific context, it is likely notification will only be\ngiven in those instances where there is a reasonable risk of harm and will not lead to the overuse\nof notification.\n\n\n\n\n50 For example, a breach involving medical infonnation may warrant notification of the breach to health care\n\nproviders and insurers through the public or specialized health media, and a breach of financial information may\nwarrant notification to financial institutions through the federal banking agencies.\n51 See FIPS 199 and Attachment 1 of this memorandum. Reassessment is suggested as the context of any breach\nmay alter your original designation.\n52 The determination of the potential impact of loss of information is made by the agency during an information\nsystem\'s certification and accreditation process.\n\n\n\n\n                                                      50 \n\n\x0cAttachment 4: Rules and Consequences\n\nA. New Requirement: Rules and Consequences Policy.\n\nFairness requires that managers, supervisors and employees be informed and trained regarding\ntheir respective responsibilities relative to safeguarding personally identifiable information and\nthe consequences and accountability for violation of these responsibilities. Therefore, it is the\nresponsibility of each agency head to develop and implement an appropriate policy outlining the\nrules of behavior and identifying consequences and corrective actions available for failure to\nfollow these rules. Consequences should be commensurate with level of responsibility and type\nof personally identifiable information involved. Supervisors also must be reminded of their\nresponsibility to instruct, train and supervise employees on safeguarding personally identifiable\ninformation. Agencies should develop and implement these policies in accordance with the\nagency\'s respective existing authorities.\n\nAs with any disciplinary action, the particular facts and circumstances, including whether the\nbreach was intentional, will be considered in taking appropriate action. Supervisors also should\nbe reminded that any action taken must be consistent with law, regulation, applicable case law,\nand any relevant collective bargaining agreement. Supervisors should understand they may be\nsubject to disciplinary action for failure to take appropriate action upon discovering the breach or\nfailure to take required steps to prevent a breach from occurring.\n\nAgencies having questions regarding development of a rules and consequences policy may\ncontact OPM\'s Center for Workforce Relations and Accountability Policy at (202) 606-2930.\n\n1. Affected Individuals. At a minimum, each agency should have a documented policy in place\nwhich applies to employees of the agency (including managers), and its contractors, licensees,\ncertificate holders, and grantees.\n\n2. Affected Actions. The agency\'s policy should describe the terms and conditions affected\nindividuals shall be subject to and identify available corrective actions. Rules of behavior and\ncorrective actions should address the following:\n\n     \xe2\x80\xa2   Failure to implement and maintain security controls, for which an employee is\n         responsible and aware, for personally identifiable information regardless of whether such\n         action results in the loss of control S3 or unauthorized disclosure of personally identifiable\n         information;\n\n\n53Here, "control" means the authority of the government agency that originates information, or its successor in\nfunction, to regulate access to the infonnation. Having control is a condition or state and not an event. Loss of\ncontrol is also a condition or state which mayor may not lead to an event, i.e., a breach.\n\n\n\n\n                                                       51 \n\n\x0c   \xe2\x80\xa2   Exceeding authorized access to, or disclosure to unauthorized persons of, personally\n       identifiable infonnation;\n   \xe2\x80\xa2   Failure to report any known or suspected loss of control or unauthorized disclosure of\n       personally identifiable infonnation; and\n   \xe2\x80\xa2   For managers, failure to adequately instruct, train, or supervise employees in their\n       responsibilities.\n\n3. Consequences. Applicable consequences may include reprimand, suspension, removal, or\nother actions in accordance with applicable law and agency policy. The minimum consequence\nagencies should consider is prompt removal of authority to access infonnation or systems from\nindividuals who demonstrates egregious disregard or a pattern of error in safeguarding personally\nidentifiable infonnation.\n\n\n\n\n                                              52 \n\n\x0c                                                                            APPENDIX V \n\n\n\n                                               U.S. Department of Jnstice\n\n\n\n\n  D:::C 2 6 2007\n\nMEMORANDUM FOR ALL DEPARTMENT OF JUSTICE EMPLOYEES\n\nFROM:                Vance E. Hitch\n                     ChlefInformatlOn Officer\n                                                pq /\n                                                   V~\n                                                                J\'-7~\nSUBJECT:              Protection of Department Sensitive Information on\n                      Laptop and Mobile Computing Devices\n\nThe Department of Justice maintains a significant amount of sensitive information, including\nPersonally Identifiable Information (PH), on its computer systems. The purpose ofthis\nmemorandum is to remind Department personnel of their responsibility to protect Department\ninformation on laptops and other mobile computing devices and on removable media. This\nmemorandum also reminds personnel oftheir responsibility to report the loss of sensitive data.\n    \xe2\x80\xa2 All Department laptop computers and mobile computing devices processing sensitive\n       information must employ Department approved encryption using Federal Information\n       Processing Standard FIPS 140-2 (as amended) compliant software.\n\n   \xe2\x80\xa2   All Department removable media which contains sensitive information and is being\n       transported outside of the Department\'s secured, physical perimeter should employ\n       Department approved encryption using Federal Information Processing Standard FIPS\n       140-2 (as amended) compliant software and remain in the personal custody of the\n       individual when outside of Departmental facilities.\n\n   \xe2\x80\xa2   All incidents involving known loss of PH must be reported within one hour of discovery or\n       detection to the DOJCERT at (866) 874-2378. Any loss of any data storage devices, such\n       as laptop computers, flash drives, disks, and tapes, must be reported within the same one\n       hour time frame.\n\nIf you have any questions or require additional information, please contact Kevin Deeley, Deputy\nDirector of the Information Technology Security Staff on (202) 353-2421 or\nmailto:kevin.deeley@usdoj.gov.\n\n\n\n\n                                            53 \n\n\x0c                                                                                 APPENDIX VI\n\n             CIVIL DIVISION MANAGEMENT\xe2\x80\x99S RESPONSE\n                                                       u.s. Department of Justice\n                                                       Civil Division\n\n\n                                                       Washingtoll, D.C. 20530\n\n\n\n\n                                                       July 6, 2009\n\n\n\nMEMORAA\'DUM\n\nTo:       Raymond J. Beaudet\n          Assistant Inspector General for Audit\n\nFrom:     Kelmeth L. Zwick "\'r  .\n                                \'\xc2\xad\n          Director, Office of Management Programs\n          Civil Division\n\nRe:       Draft Audit Report: The Civil Division\'s Laptop Computer Encryption Program and\n          Practices\n\n       This memorandum is in response to the Draft Audit Report issued by the Office of the\nInspector General (OIG) on May \\9,2009. The Civil Division appreciates the significant work\nperfonned by the OIG in auditing the Civil Division\'s encryption policies and practices, and\nagrees with the reconunendations set forth in the report. The Division recogni zes the need to\nadequately safeguard its data, and has reviewed the repoli\'s recommendations from this\nperspective.\n\n         The report discusses deficiencies in data encryption by contractors and subcontractors,\nand in the security instructions given them. As an initi al matter, we note that the majority of\nsllch findings apply to expelis, neutrals, and consultants hired by the Division under OBD-47\nagreements. Unlike the Mega-3 contractors also discussed in the report, OBD-47 contractors\nare not often large litigation support fin11S , but individuals from teach ing hospita ls, academic\ninstitutions, or private practice. OBD experts generally do not provide expert services as a\nprimary vocation, but regard their participation in Civil Division cases as a public service. As\nindi vidual experts, they are not necessarily proficient with technology, nor do they have IT\nsta ffs on which to rely. The Civil Division is conmlitted to safeguarding its data as\nrecomm ended by the OIG. However, because of the varied and individual nature of such\nexpel1 services, imposing securi ty requirements without compromising our ability to produce\n\n\n\n                                                54 \n\n\x0cexpert testimony in fast-paced liti gation presents spec ial challenges.\'\n\n         The Civil Di vision maintains a laptop computer tracking database. As noted in the\nreport, this was necessary in part because of issues with the existing data in the ARGrS\ndatabase prov ided by the Justice Management Division. The repOli notes discrepancies in both\nthe ARGIS database and in the Division\'s intemallaptop computer tracking database.\nAlthough the Division is not aware of any errors currently in the intema l laptop computer\ntracking database, it will be further examined to ensure accuracy. We note, however, that both\nexamples of inconsistenci es in the two databases given in the report point to inaccuracies in\nARGIS, rather than in the Civil Division laptop computer tracking database. Consistent with\nthe report\'s recommendations, the Civil Di vision has recently completed a physical inventory\nof all laptop computers, and a wall-to-wall inventory of all accountable property. The Civil\nDi vis ion is in the process of reconciling the ARGIS database with these inventori es to ensure\naccuracy. JMD has advised the Division that they will retire the agi ng ARGrS database system\non November 1, 2009, and mi grate data to the new Uni center Asset Portfolio Management\n(UAPM) system.\n\n        Of note, the OrG report includes the result of testing a sample of computers in the Civi l\nDi vision lending pool for the presence of a wam ing bamler. The auditors found that 76% of\nthe 47 laptop computers tested did not contain warning baiUlers.\' Further investi gation by the\nCivil Di vision indicates that thi s issue was confined to a single model of laptop computer,\nwhi ch compri sed only 46% o f the laptop computer lending program inventory. Since thi s\nom ission was discovered, laptop computer lending practices have been modified to document\nthe presence of the banner on each loaner laptop computer before it is issued to the user.\n\n        In the course of the investigation, the auditors spoke with four subcontractors under the\nMega-3 contract who reported having unencrypted laptop computers. Fo llow-up by the Civil\nDivision indicates that three of those subcontractors did use laptop computers, but those\ncomputers did not contain DOJ data. However, the remaining subcontractor did not comply\nwi th Civil Division requirements regarding data security. Based on the OrG\'s investigation,\nmitigating steps are being taken with regard to the remaining Mega-3 subcontractor, and all\nMega-3 contractors have received further security guidance and training.\n\n\n\n\n        , The OrG report states that the Civil Division initially provided a report li sting 1,483\nvendors hi red under OBD-47 agreements. Actually, thi s represented the total number ofOBD-47\nagreements in force, rather than the number of unique vendors. Typically, one OBD-47 is\nexecuted for a contractor\'s wo rk on each matter. Accordingly, a single ex pert, neutral , or\nconsultant may be party to mUltip le OBD-47 agreements. The fi gure stated in the OIG report of\napproxi mately 374 unique vendors is correct.\n\n        2 The OIG report notes that thi s is a non-statistical sample that does not allow projection\nof the results to all Civil Division laptop computers.\n\n\n                                                 55 \n\n\x0c                            RESPONSE TO RECOMMENDATIONS\n\n       The Civil Division agrees with the recommendations set fOlih in the OIG report. Below\nare comments speci fic to each recommendation and expected times for implementation.\n\n        1. Implemellt procedures for ellsurillg tlraltlre official illvelltOlY database, ARGIS, or\nallY replacemellt system, mailltaills accllrale alld reliable illformatiollfor all Civil Divisioll\nlaptop computers.\n\n        This recommendation has al ready been implemented in part. Previously, the\nAccountable Propel1y Officer for the Civ il Division had arllotated the ARGIS database to\nreflect o lder units that had been excessed. As noted in the report, authority to make changes to\nARGIS database records to directly reflect these annotations was granted to the Civi l Division\nin 2007; however, no training nor any infonnation on these new features was provided. The\nannotations regarding excessed units were ultimatel y incorporated into the ARGIS database at\nthe comp letion of the Civil Di vision\'s Physical Inventory of Capitalized Property and Portable\nComputers on March 26, 2009.\n\n        To help ensu re the accuracy of the current ARGIS database, the Civil Division has in\nplace procedures for conducting a physical inventory of laptop computers annual ly, and a\nwall-to-wall inventory of all accountable property every two years . Previously, the results of\nthis audit were provided to JMD so ARGIS could be updated, but are now incorporated directly\ninto the ARGIS database to reduce the possibility of error. The most recent laptop compu ter\ninventory was completed on March 26, 2009. The most recent wall-to-wall inventory was\ncompleted on May 21, 2009.\n\n       JMD has infonned us that the conversion to the UAPM system (the successor to the\nARGIS system), wi ll take place on November 1,2009. The Civil Division looks forward to\nworking with JMD to obtain adequate training and documentation to help ensure that it is\naccurately maintained.\n\n         2. Ellsure the laptop admillistrator \'s gllide is IIsed to docllm ellt the sllccessflll\nillstallatioll of ellClyptioll software all Civil Divisioll laptop comp"ters.\n\n         This recommendation has been implemented. The Civil Division\'s laptop computer\nlend ing program tracking database has been updated to require the administrator to record\nwhether a loaner laptop computer displays proper encryption infonnation as a final step before\nit is released to the user. The relevant database screen now contains a link to the Laptop\nAdministrator\'s Guide for reference. Screen shots of the relevant portion of the database are at\nAppendix A.\n\n        3. Label re-imagillg comp"ters to illdicate that they are 1I0t el1C1ypted alld 1I0t for\noperatiollaillse.\n\n        This recommendation has been implemented. The plu\'ase "Not encrypted - not for\n\n\n\n                                                    56 \n\n\x0coperational use" has been permanently marked on the re-imaging laptop computers.\n\n         4. Ellsure the laplop admillistralor \'s guide is used to verify Ihat system wamillg\nballllers are ills tolled 011 all Civil Divisioll laptop compulers as required by DO} policy.\n\n        This recommendation has been implemented. The Civil Di vision\'s laptop computer\nlending program tracking database has been updated to require the administrator to record\nwhether a loaner laptop computer displays the warning bamler as a final step before it is\nreleased to the user. The relevant database screen now contains a link to the Laptop\nAdministrator\'s Guide for reference. Screen shots of the relevant portion of the database are at\nAppendix A.\n\n         5. Develop alld mailltaill all illvelllolY of authorized or approved 1I01l-Civil Divisioll\noWll ed laplop compulers for cOlllraclors, subcolliractors, alld olher elltilies providillg cOlllract\nsupport services for the Civil Divisioll .\n\n         This recommendation has been impl emented for contractors, subcontractors, and other\nentities under the Mega-3 contract.\n\n        The process for authorizing the use of laptop computers not owned by the Civil\nDivision by contractors, subcontractors, and other entities under hired pursuant to an OBD-47\nwill be part ofa comprehensive set of procedures. Please see the response to reconunendation\n#6.\n        6. Ellsure that alllloll-Civil Divisioll laptop compulers used to process DO} data are\nellclypled or require call tractors to use ellcl)\'pted Civil Divisioll provided hardware.\n\n       This recommendation has been inlplemented for contractors under the Mega-3 contract.\n\n          Implementing this recommendation for contractors hired under an OBD-47 will likely\nrequire a comprehensive set of new procedures, including changes in contract language,\nteclmical support resources, additional hardware acquisition, additional persolmel, and training.\nIt is likely that some OBD-47 contractors will have the resources to comply w ith thi s\nrequirement. For others who may lack the technical sophistication to comply with the\nrequirement, the Civi l Division may have to provide some limited support or encrypted\nhardware. Any such hardware would have to be identified, tested , procured, and dep loyed. [t\nis likely that the administrative overhead for this will require additional persolmel. Finally,\nthose acting as points of contact for OBD-47 contractors will require training in the additional\ncontracting requirements and security procedures. We anticipate it will take 9-12 months to\nfull y implem ent this recommendation.\n\n       7. Ellsure thai all cOlltracl support providers are aware of security illformatioll\nprocedures for halldling DO} data in accordallce with DO} policy.\n\n       All Mega-3 contractors have been provided this infonnation, and required to pass it\nthrough to sub-contractors. As to OBD-47 contractors, it will be part of the comprehensive\n\n\n\n                                                  57 \n\n\x0cprogram outlined in response to reconunendation # 6. To ensure security awareness, the Civil\nDivision will conduct periodic spot-checks of contract support providers.\n\n\n\n\n Note: Appendix A of the Civil Division Management\xe2\x80\x99s response was\n omitted at the request of the Civil Division because it contained\n sensitive information.\n\n\n\n\n                                             58 \n\n\x0c                                                          APPENDIX VII \n\n\n\n            OFFICE OF THE INSPECTOR GENERAL \n\n           ANALYSIS AND SUMMARY OF ACTIONS \n\n            NECESSARY TO CLOSE THE REPORT\n\n\n\n       The Civil Division was provided a draft of this audit report and\ntheir comments on the findings and recommendations were considered\nin preparing this Analysis and Summary of Actions Necessary to Close\nthe Report. The Civil Division\xe2\x80\x99s response is incorporated as Appendix\nVI of this report. Since the Civil Division concurred with all of the\nrecommendations, this report is being issued resolved. Our analysis of\nthe Civil Division\xe2\x80\x99s responses and a summary of actions necessary to\nclose the recommendations are provided below.\n\nAnalysis of Civil Division Response\n\n      In response to our audit report, the Civil Division concurred with\nour recommendations and discussed the actions it will implement in\nresponse to our findings. In addition, the Civil Division responded to\ninformation contained in our report unrelated to our recommendations.\nWe respond to these statements before discussing the Civil Division\xe2\x80\x99s\nspecific responses to each of our recommendations and the actions\nnecessary to close those recommendations.\n\n       The Civil Division stated that the OBD 47 contractors regard their\nparticipation in Civil Division cases as a public service, and that these\nexperts are not necessarily proficient with technology, nor do they\nhave IT staffs on which to rely. In addition, the Civil Division stated\nthat it is committed to safeguarding its data by imposing appropriate\nsecurity requirements, but the Civil Division needs to do so without\ncompromising its ability to produce expert testimony. We recognize\nthis challenge with acquiring the OBD 47 contractors. However, in our\njudgment given the sensitive nature of the work performed, the Civil\nDivision should ensure that the OBD experts use encrypted laptops.\nTherefore, we fully support the Civil Division\xe2\x80\x99s efforts outlined in its\nresponse to recommendation 6 and encourage the Civil Division to\nexplore all options for protecting sensitive data on laptops, such as\nproviding encrypted hardware, support, and training to the OBD 47\ncontractors.\n\n      The Civil Division stated that it is not aware of any errors in its\ninternal laptop computer tracking database and that it will further\nexamine the database to ensure its accuracy. In our report, we\npointed out discrepancies between the ARGIS database and the OLS\n\n\n\n                                    59 \n\n\x0claptop tracking database and provided an example where information\ncontained in ARGIS did not reconcile with the OLS database. To help\nensure the accuracy of the current ARGIS database or any\nreplacement system, the Civil Division has recently completed a\nphysical inventory of all laptop computers and a wall-to-wall inventory\nof all accountable property. We agree that these efforts should help to\nensure the accuracy of the Civil Division\xe2\x80\x99s laptop inventory.\n\n      The Civil Division is correct in stating that our findings regarding\nthe presence of a warning banner on computers in its lending pool\ndoes not allow projection of the test results to all laptops in its\ninventory. We reported that 37 of the 49 (76 percent) Civil Division\nlaptop computers we tested did not employ a DOJ system warning\nbanner. The Civil Division stated that it reviewed its laptop inventory\nand found that this issue was confined to a single laptop model that\ncomprised 46 percent of its laptop computer inventory. We note that\nwhile this is less than the 76 percent of computers without the\nrequired security banner in our sample, this is still a substantial\nnumber of non-compliant laptops.\n\n       The Civil Division stated it followed-up with four subcontractors\nunder the Mega 3 contract that we reported as having unencrypted\nlaptop computers. The Civil Division indicated that three of those\nsubcontractors used laptop computers that did not contain DOJ data,\nwhile the fourth subcontractor failed to comply with Civil Division\nrequirements. Based on our survey and recommendations 5 - 7, the\nCivil Division has taken corrective steps with regards to all Mega 3\ncontractors and has developed a comprehensive plan for the OBD 47\ncontractors to develop an inventory of approved laptop computers for\ncontractors and subcontractors, ensure that all DOJ data are stored on\nencrypted devices, and ensure that all contract support providers are\naware of security information procedures.\n\n\nSummary of Actions Necessary to Close the Recommendations\n\n1. Resolved. The Civil Division concurred with the OIG\xe2\x80\x99s\n   recommendation to implement procedures for ensuring that the\n   official inventory database, ARGIS, or any replacement system\n   maintains accurate and reliable information for all Civil Division\n   laptop computers. To help ensure the accuracy of the current\n   ARGIS database, the Civil Division conducted a physical inventory\n   of laptop computers on March 26, 2009. JMD has informed the Civil\n   Division that the conversion to the Unicenter Asset Portfolio\n\n\n                                    60 \n\n\x0c   Management (UAPM), the successor to the ARGIS database, will\n   occur on November 1, 2009. This recommendation can be closed\n   when we receive documentation showing that the UAPM system is\n   tracking the Civil Division\xe2\x80\x99s laptop inventory.\n\n2. Closed. This recommendation is closed based on documentation\n   provided by the Civil Division showing that the laptop computer\n   lending program tracking database has been updated to require the\n   administrator to record whether a loaner laptop computer displays\n   proper encryption information.\n\n3. Resolved. The Civil Division concurred with the OIG\xe2\x80\x99s\n   recommendation to label re-imaging computers to indicate that\n   they are not encrypted and not for operational use. The Civil\n   Division stated that the phrase, \xe2\x80\x9cNot encrypted \xe2\x80\x93 not for\n   operational use\xe2\x80\x9d has been permanently marked on the re-imaging\n   laptop computers. This recommendation can be closed when we\n   receive documentation showing that the re-imaging laptop\n   computers are labeled to indicate that they are not encrypted and\n   not for operational use.\n\n4. Closed. This recommendation is closed based on documentation\n   provided by the Civil Division showing that the laptop computer\n   lending program tracking database has been updated to require the\n   administrator to record whether a loaner laptop computer displays\n   the warning banner.\n\n5. Resolved. The Civil Division concurred with the OIG\xe2\x80\x99s\n   recommendation to develop and maintain an inventory of\n   authorized or approved non-Civil Division owned laptop computers\n   for contractors, subcontractors, and other entities providing\n   contract support services for the Civil Division. The Civil Division\n   stated that this recommendation will take 9-12 months to fully\n   implement. This recommendation can be closed when we receive\n   documentation showing that an inventory of authorized non-Civil\n   Division owned laptop computers for contractors, subcontractors,\n   and other entities has been created.\n\n6. Resolved. The Civil Division concurred with the OIG\xe2\x80\x99s\n   recommendation to ensure that all non-Civil Division laptop\n   computers used to process DOJ data are encrypted or that the Civil\n   Division requires contractors to use encrypted hardware provided\n   by the Civil Division. The Civil Division stated that this\n   recommendation will take 9-12 months to fully implement. This\n\n\n                                   61 \n\n\x0c  recommendation can be closed when we receive documentation\n  showing that all non-Civil Division laptop computers used to process\n  DOJ data are encrypted or that the Civil Division requires\n  contractors to use encrypted Civil Division-provided hardware.\n\n7. Resolved. The Civil Division concurred with the OIG\xe2\x80\x99s\n   recommendation to ensure that all contract support providers are\n   aware of security procedures for handling DOJ data in accordance\n   with DOJ policy. The Civil Division stated that this recommendation\n   will take 9-12 months to fully implement. This recommendation\n   can be closed when we receive documentation showing that all\n   contract support providers are aware of security procedures for\n   handling DOJ data in accordance with DOJ policy.\n\n\n\n\n                                  62 \n\n\x0c'